bth.se
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Towards Automated Context-aware Vulnerability Risk Management
Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science.ORCID iD: 0000-0002-0128-4127
2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

The information security landscape continually evolves with increasing publicly known vulnerabilities (e.g., 25064 new vulnerabilities in 2022). Vulnerabilities play a prominent role in all types of security related attacks, including ransomware and data breaches. Vulnerability Risk Management (VRM) is an essential cyber defense mechanism to eliminate or reduce attack surfaces in information technology. VRM is a continuous procedure of identification, classification, evaluation, and remediation of vulnerabilities. The traditional VRM procedure is time-consuming as classification, evaluation, and remediation require skills and knowledge of specific computer systems, software, network, and security policies. Activities requiring human input slow down the VRM process, increasing the risk of exploiting a vulnerability.

The thesis introduces the Automated Context-aware Vulnerability Risk Management (ACVRM) methodology to improve VRM procedures by automating the entire VRM cycle and reducing the procedure time and experts' intervention. ACVRM focuses on the challenging stages (i.e., classification, evaluation, and remediation) of VRM to support security experts in promptly prioritizing and patching the vulnerabilities. 

ACVRM concept is designed and implemented in a test environment for proof of concept. The efficiency of patch prioritization by ACVRM compared against a commercial vulnerability management tool (i.e., Rudder). ACVRM prioritized the vulnerability based on the patch score (i.e., the numeric representation of the vulnerability characteristic and the risk), the historical data, and dependencies. The experiments indicate that ACVRM could rank the vulnerabilities in the organization's context by weighting the criteria used in patch score calculation. The automated patch deployment is implemented with three use cases to investigate the impact of learning from historical events and dependencies on the success rate of the patch and human intervention. Our finding shows that ACVRM reduced the need for human actions, increased the ratio of successfully patched vulnerabilities, and decreased the cycle time of VRM process.
Place, publisher, year, edition, pages
Karlskrona: Blekinge Tekniska Högskola, 2023. , p. 136
Series
Blekinge Institute of Technology Doctoral Dissertation Series, ISSN 1653-2090 ; 2023:07
Keywords [en]
Vulnerability Risk Management, VRM, Automated Context-Aware Vulnerability Risk Management, ACVRM, Information security
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
URN: urn:nbn:se:bth-24468ISBN: 978-91-7295-459-5 (print)OAI: oai:DiVA.org:bth-24468DiVA, id: diva2:1752787
Public defence
2023-06-15, J1630 + Zoom, CAMPUS GRASVIK, KARLSKRONA, 13:00 (English)
Opponent
Supervisors
Note

In reference to IEEE copyrighted material which is used with permission in this thesis, the IEEE does not endorse any of BTH's products or services. Internal or personal use of this material is permitted. If interested in reprinting/republishing IEEE copyrighted material for advertising or promotional purposes or for creating new collective works for resale or redistribution, please go to http://www.ieee.org/publications_standards/publications/rights/rights_link.html to learn how to obtain a License from RightsLink. If applicable, University Microfilms and/or ProQuest Library, or the Archives of Canada may supply single copies of the dissertation.

Available from: 2023-04-25 Created: 2023-04-24 Last updated: 2023-09-19Bibliographically approved
List of papers
1. Normalization of Severity Rating for Automated Context-aware Vulnerability Risk Management
Open this publication in new window or tab >>Normalization of Severity Rating for Automated Context-aware Vulnerability Risk Management
2020 (English)In: Proceedings - 2020 IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion, ACSOS-C 2020, Institute of Electrical and Electronics Engineers (IEEE), 2020, p. 200-205, article id 9196350Conference paper, Published paper (Refereed)
Abstract [en]

In the last three years, the unprecedented increase in discovered vulnerabilities ranked with critical and high severity raise new challenges in Vulnerability Risk Management (VRM). Indeed, identifying, analyzing and remediating this high rate of vulnerabilities is labour intensive, especially for enterprises dealing with complex computing infrastructures such as Infrastructure-as-a-Service providers. Hence there is a demand for new criteria to prioritize vulnerabilities remediation and new automated/autonomic approaches to VRM.

In this paper, we address the above challenge proposing an Automated Context-aware Vulnerability Risk Management (AC- VRM) methodology that aims: to reduce the labour intensive tasks of security experts; to prioritize vulnerability remediation on the basis of the organization context rather than risk severity only. The proposed solution considers multiple vulnerabilities databases to have a great coverage on known vulnerabilities and to determine the vulnerability rank. After the description of the new VRM methodology, we focus on the problem of obtaining a single vulnerability score by normalization and fusion of ranks obtained from multiple vulnerabilities databases. Our solution is a parametric normalization that accounts for organization needs/specifications.
Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2020
Keywords
Self-protection, vulnerability, automation, Risk assessment
National Category
Computer Systems
Identifiers
urn:nbn:se:bth-20302 (URN)10.1109/ACSOS-C51401.2020.00056 (DOI)000719366200037 ()2-s2.0-85092716270 (Scopus ID)9781728184142 (ISBN)
Conference
1st IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion, ACSOS-C 2020, Virtual, Washington, United States, 17 August 2020 through 21 August 2020
Note

open access

Partially funded by the SmartDefense project n. RG11916B88C838E8.

Available from: 2020-08-18 Created: 2020-08-18 Last updated: 2023-06-07Bibliographically approved
2. Normalization Framework for Vulnerability Risk Management in Cloud
Open this publication in new window or tab >>Normalization Framework for Vulnerability Risk Management in Cloud
2021 (English)In: Proceedings - 2021 International Conference on Future Internet of Things and Cloud, FiCloud 2021, IEEE, 2021, p. 99-106Conference paper, Published paper (Refereed)
Abstract [en]

Vulnerability Risk Management (VRM) is a critical element in cloud security that directly impacts cloud providers’ security assurance levels. Today, VRM is a challenging process because of the dramatic increase of known vulnerabilities (+26% in the last five years), and because it is even more dependent on the organization’s context. Moreover, the vulnerability’s severity score depends on the Vulnerability Database (VD) selected as a reference in VRM. All these factors introduce a new challenge for security specialists in evaluating and patching the vulnerabilities. This study provides a framework to improve the classification and evaluation phases in vulnerability risk management while using multiple vulnerability databases as a reference. Our solution normalizes the severity score of each vulnerability based on the selected security assurance level. The results of our study highlighted the role of the vulnerability databases in patch prioritization, showing the advantage of using multiple VDs.
Place, publisher, year, edition, pages
IEEE, 2021
Keywords
Risk Assessment, Vulnerability, Cloud security
National Category
Computer Systems
Research subject
Computer Science
Identifiers
urn:nbn:se:bth-22100 (URN)10.1109/FiCloud49777.2021.00022 (DOI)2-s2.0-85115338714 (Scopus ID)
Conference
8th International Conference on Future Internet of Things and Cloud, FiCloud 2021, Virtual, Online, 23 August through 25 August 2021
Available from: 2021-09-02 Created: 2021-09-02 Last updated: 2023-06-07Bibliographically approved
3. Automated Context-Aware Vulnerability Risk Management for Patch Prioritization
Open this publication in new window or tab >>Automated Context-Aware Vulnerability Risk Management for Patch Prioritization
2022 (English)In: Electronics, E-ISSN 2079-9292, Vol. 11, no 21, article id 3580Article in journal (Refereed) Published
Abstract [en]

The information-security landscape continuously evolves by discovering new vulnerabilities daily and sophisticated exploit tools. Vulnerability risk management (VRM) is the most crucial cyber defense to eliminate attack surfaces in IT environments. VRM is a cyclical practice of identifying, classifying, evaluating, and remediating vulnerabilities. The evaluation stage of VRM is neither automated nor cost-effective, as it demands great manual administrative efforts to prioritize the patch. Therefore, there is an urgent need to improve the VRM procedure by automating the entire VRM cycle in the context of a given organization. The authors propose automated context-aware VRM (ACVRM), to address the above challenges. This study defines the criteria to consider in the evaluation stage of ACVRM to prioritize the patching. Moreover, patch prioritization is customized in an organization’s context by allowing the organization to select the vulnerability management mode and weigh the selected criteria. Specifically, this study considers four vulnerability evaluation cases: (i) evaluation criteria are weighted homogeneously; (ii) attack complexity and availability are not considered important criteria; (iii) the security score is the only important criteria considered; and (iv) criteria are weighted based on the organization’s risk appetite. The result verifies the proposed solution’s efficiency compared with the Rudder vulnerability management tool (CVE-plugin). While Rudder produces a ranking independent from the scenario, ACVRM can sort vulnerabilities according to the organization’s criteria and context. Moreover, while Rudder randomly sorts vulnerabilities with the same patch score, ACVRM sorts them according to their age, giving a higher security score to older publicly known vulnerabilities. © 2022 by the authors.
Place, publisher, year, edition, pages
MDPI, 2022
Keywords
patch prioritization, risk management, security management, vulnerability management
National Category
Computer Systems
Identifiers
urn:nbn:se:bth-23982 (URN)10.3390/electronics11213580 (DOI)000883429300001 ()2-s2.0-85141721682 (Scopus ID)
Note

open access

Available from: 2022-11-24 Created: 2022-11-24 Last updated: 2023-04-26Bibliographically approved
4. Automated Patch Management: An Empirical Evaluation Study
Open this publication in new window or tab >>Automated Patch Management: An Empirical Evaluation Study
2023 (English)In: Proceedings of the 2023 IEEE International Conference on Cyber Security and Resilience, CSR 2023, IEEE, 2023, p. 321-328Conference paper, Published paper (Refereed)
Abstract [en]

Vulnerability patch management is one of IT organizations' most complex issues due to the increasing number of publicly known vulnerabilities and explicit patch deadlines for compliance. Patch management requires human involvement in testing, deploying, and verifying the patch and its potential side effects. Hence, there is a need to automate the patch management procedure to keep the patch deadline with a limited number of available experts. This study proposed and implemented an automated patch management procedure to address mentioned challenges. The method also includes logic to automatically handle errors that might occur in patch deployment and verification. Moreover, the authors added an automated review step before patch management to adjust the patch prioritization list if multiple cumulative patches or dependencies are detected. The result indicated that our method reduced the need for human intervention, increased the ratio of successfully patched vulnerabilities, and decreased the execution time of vulnerability risk management.
Place, publisher, year, edition, pages
IEEE, 2023
Keywords
Vulnerability, Risk Management, Cybersecurity, Patch Management
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:bth-24467 (URN)10.1109/CSR57506.2023.10224970 (DOI)2-s2.0-85171787878 (Scopus ID)9798350311709 (ISBN)
Conference
3rd IEEE International Conference on Cyber Security and Resilience, CSR 2023, July 31 - August 2, 2023, Venice.
Available from: 2023-04-24 Created: 2023-04-24 Last updated: 2023-10-30Bibliographically approved

Open Access in DiVA

fulltext(3920 kB)171 downloads
File information
File name FULLTEXT03.pdfFile size 3920 kBChecksum SHA-512
74075310cb7c4287bce9184b3f9d3b4d442031543faba2e4a57f6d94b428aae70f41f522c6706827225395e542681b7feaf737890fc93bda0e5027655161e555
Type fulltextMimetype application/pdf

Authority records

Ahmadi Mehri, Vida

Search in DiVA

By author/editor
Ahmadi Mehri, Vida
By organisation
Department of Computer Science
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 171 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1217 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.40.0
|
WCAG
|
BTH Library
|
Publish/Register
|
How to publish/register
|
Diva portal
|
SwePub
|
Uppsök