A Model-Based Time-to-Compromise Estimator to Assess the Security Posture of Vulnerable Networks
Title | A Model-Based Time-to-Compromise Estimator to Assess the Security Posture of Vulnerable Networks |
Publication Type | Conference Paper |
Year of Publication | 2019 |
Authors | Alshawish, Ali, Spielvogel, Korbinian, de Meer, Hermann |
Conference Name | 2019 International Conference on Networked Systems (NetSys) |
ISBN Number | 978-1-7281-0568-0 |
Keywords | Comparative security metric, Computer science, Estimation, Human Behavior, human factors, Measurement, Metrics, Monte Carlo simulation, NIST, patch management, pubcrawl, resilience, Resiliency, risk assessment, risk management, Scalability, security, security metrics, Security Risk Estimation, security risk management, Uncertainty |
Abstract | Several operational and economic factors impact the patching decisions of critical infrastructures. The constraints imposed by such factors could prevent organizations from fully remedying all of the vulnerabilities that expose their (critical) assets to risk. Therefore, an involved decision maker (e.g. security officer) has to strategically decide on the allocation of possible remediation efforts towards minimizing the inherent security risk. This, however, involves the use of comparative judgments to prioritize risks and remediation actions. Throughout this work, the security risk is quantified using the security metric Time-To-Compromise (TTC). Our main contribution is to provide a generic TTC estimator to comparatively assess the security posture of computer networks taking into account interdependencies between the network components, different adversary skill levels, and characteristics of (known and zero-day) vulnerabilities. The presented estimator relies on a stochastic TTC model and Monte Carlo simulation (MCS) techniques to account for the input data variability and inherent prediction uncertainties. |
URL | https://ieeexplore.ieee.org/document/8854511 |
DOI | 10.1109/NetSys.2019.8854511 |
Citation Key | alshawish_model-based_2019 |
- patch management
- uncertainty
- Security Risk Management
- Security Risk Estimation
- security
- Scalability
- risk management
- risk assessment
- Resiliency
- resilience
- pubcrawl
- Security Metrics
- NIST
- Monte Carlo simulation
- Metrics
- Measurement
- Human Factors
- Human behavior
- estimation
- computer science
- Comparative security metric