Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Normalization of Severity Rating for Automated Context-aware Vulnerability Risk Management
Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science. City Network International AB, Sweden.ORCID iD: 0000-0002-0128-4127
Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science.ORCID iD: 0000-0003-4494-9851
Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science. Sapienza University of Rome, ITA.ORCID iD: 0000-0002-3118-5058
2020 (English)In: Proceedings - 2020 IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion, ACSOS-C 2020, Institute of Electrical and Electronics Engineers (IEEE), 2020, p. 200-205, article id 9196350Conference paper, Published paper (Refereed)
Abstract [en]

In the last three years, the unprecedented increase in discovered vulnerabilities ranked with critical and high severity raise new challenges in Vulnerability Risk Management (VRM). Indeed, identifying, analyzing and remediating this high rate of vulnerabilities is labour intensive, especially for enterprises dealing with complex computing infrastructures such as Infrastructure-as-a-Service providers. Hence there is a demand for new criteria to prioritize vulnerabilities remediation and new automated/autonomic approaches to VRM.

In this paper, we address the above challenge proposing an Automated Context-aware Vulnerability Risk Management (AC- VRM) methodology that aims: to reduce the labour intensive tasks of security experts; to prioritize vulnerability remediation on the basis of the organization context rather than risk severity only. The proposed solution considers multiple vulnerabilities databases to have a great coverage on known vulnerabilities and to determine the vulnerability rank. After the description of the new VRM methodology, we focus on the problem of obtaining a single vulnerability score by normalization and fusion of ranks obtained from multiple vulnerabilities databases. Our solution is a parametric normalization that accounts for organization needs/specifications.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2020. p. 200-205, article id 9196350
Keywords [en]
Self-protection, vulnerability, automation, Risk assessment
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:bth-20302DOI: 10.1109/ACSOS-C51401.2020.00056ISI: 000719366200037Scopus ID: 2-s2.0-85092716270ISBN: 9781728184142 (print)OAI: oai:DiVA.org:bth-20302DiVA, id: diva2:1458794
Conference
1st IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion, ACSOS-C 2020, Virtual, Washington, United States, 17 August 2020 through 21 August 2020
Note

open access

Partially funded by the SmartDefense project n. RG11916B88C838E8.

Available from: 2020-08-18 Created: 2020-08-18 Last updated: 2023-06-07Bibliographically approved
In thesis
1. Towards Automated Context-aware Vulnerability Risk Management
Open this publication in new window or tab >>Towards Automated Context-aware Vulnerability Risk Management
2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The information security landscape continually evolves with increasing publicly known vulnerabilities (e.g., 25064 new vulnerabilities in 2022). Vulnerabilities play a prominent role in all types of security related attacks, including ransomware and data breaches. Vulnerability Risk Management (VRM) is an essential cyber defense mechanism to eliminate or reduce attack surfaces in information technology. VRM is a continuous procedure of identification, classification, evaluation, and remediation of vulnerabilities. The traditional VRM procedure is time-consuming as classification, evaluation, and remediation require skills and knowledge of specific computer systems, software, network, and security policies. Activities requiring human input slow down the VRM process, increasing the risk of exploiting a vulnerability.

The thesis introduces the Automated Context-aware Vulnerability Risk Management (ACVRM) methodology to improve VRM procedures by automating the entire VRM cycle and reducing the procedure time and experts' intervention. ACVRM focuses on the challenging stages (i.e., classification, evaluation, and remediation) of VRM to support security experts in promptly prioritizing and patching the vulnerabilities. 

ACVRM concept is designed and implemented in a test environment for proof of concept. The efficiency of patch prioritization by ACVRM compared against a commercial vulnerability management tool (i.e., Rudder). ACVRM prioritized the vulnerability based on the patch score (i.e., the numeric representation of the vulnerability characteristic and the risk), the historical data, and dependencies. The experiments indicate that ACVRM could rank the vulnerabilities in the organization's context by weighting the criteria used in patch score calculation. The automated patch deployment is implemented with three use cases to investigate the impact of learning from historical events and dependencies on the success rate of the patch and human intervention. Our finding shows that ACVRM reduced the need for human actions, increased the ratio of successfully patched vulnerabilities, and decreased the cycle time of VRM process.

Place, publisher, year, edition, pages
Karlskrona: Blekinge Tekniska Högskola, 2023. p. 136
Series
Blekinge Institute of Technology Doctoral Dissertation Series, ISSN 1653-2090 ; 2023:07
Keywords
Vulnerability Risk Management, VRM, Automated Context-Aware Vulnerability Risk Management, ACVRM, Information security
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:bth-24468 (URN)978-91-7295-459-5 (ISBN)
Public defence
2023-06-15, J1630 + Zoom, CAMPUS GRASVIK, KARLSKRONA, 13:00 (English)
Opponent
Supervisors
Note

In reference to IEEE copyrighted material which is used with permission in this thesis, the IEEE does not endorse any of BTH's products or services. Internal or personal use of this material is permitted. If interested in reprinting/republishing IEEE copyrighted material for advertising or promotional purposes or for creating new collective works for resale or redistribution, please go to http://www.ieee.org/publications_standards/publications/rights/rights_link.html to learn how to obtain a License from RightsLink. If applicable, University Microfilms and/or ProQuest Library, or the Archives of Canada may supply single copies of the dissertation.

Available from: 2023-04-25 Created: 2023-04-24 Last updated: 2023-09-19Bibliographically approved

Open Access in DiVA

fulltext(335 kB)551 downloads
File information
File name FULLTEXT01.pdfFile size 335 kBChecksum SHA-512
d6b7409a6013796c7a0faee41d74a72b258ca72bab2675dcbff27f563a1cb80e87f5c015e31d5c872546a67500c4e33d73229a321420750e768a0cd9267158fc
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Ahmadi Mehri, VidaArlos, PatrikCasalicchio, Emiliano

Search in DiVA

By author/editor
Ahmadi Mehri, VidaArlos, PatrikCasalicchio, Emiliano
By organisation
Department of Computer Science
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 551 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 416 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf