Towards Optimal Triage and Mitigation of Context-Sensitive Cyber Vulnerabilities

Abstract

Cyber vulnerabilities are security deficiencies in computer and network systems of organizations, which can be exploited by an adversary to cause significant damage. The technology and security personnel resources currently available in organizations to mitigate the vulnerabilities are highly inadequate. As a result, systems routinely remain unpatched, thus making them vulnerable to security breaches from the adversaries. The potential consequences of an exploited vulnerability depend upon the context as well as the severity of the vulnerability, which may differ among networks and organizations. Furthermore, security personnel tend to have varying levels of expertise and technical proficiencies associated with different computer and network devices. There exists a critical need to develop a resource-constrained approach for effectively identifying and mitigating important context-sensitive cyber vulnerabilities. In this article, we develop an advanced analytics and optimization framework to address this need and compare our approach with rule-based methods employed in real-world cybersecurity operations centers, as well as a vulnerability prioritization method from recent literature. First, we propose a machine learning-based vulnerability priority scoring system (VPSS) to calculate the priority scores for each of the vulnerabilities found in an organization’s network and quantify organizational context-based vulnerability exposure. Next, we propose a decision-support system, which consists of a two-step sequential optimization approach. The first model selects the high priority vulnerability instances from the dense report subject to resource constraints, and the second model then optimally allocates them to the security personnel with matching skill types for mitigation. Experiment results conducted using a real-world vulnerability data set show that our approach 1) outperforms both the rule-based methods and the vulnerability prioritization method from literature in prioritizing context-sensitive vulnerabilities, which are found across highly susceptible organizationally relevant host machines, and 2) maximizes the pairs of vulnerability instance type and the respective security analyst skill type for optimal mitigation.