A Proximity-Based Measure for Quantifying the Risk of Vulnerabilities

Abstract

Identification and remediation of the system vulnerabilities that pose the highest risk are crucial for maintaining the security posture of computer networks. In literature a large number of metrics available for vulnerability risk assessment. However, they fail to consider critical network risk conditions that affect the success of an adversary. Consequently, evaluation of the vulnerability risk based on current metrics is misleading, and hence, the derived vulnerability remediation plan often results in an ineffective application of countermeasures. To overcome this problem, we have proposed a comprehensive, integrated metric called Improved Relative Cumulative Risk (IRCR). For a given vulnerability, IRCR takes into account the CVSS Base Score, vulnerability proximity from the attacker’s initial position, and the risk of the neighboring vulnerabilities. The proposed metric tested on a synthetic network, and experimental results show that IRCR can be used effectively for assessing the security risk of each of the exploitable vulnerabilities. Based on the IRCR recommendations, an administrator can accurately determine top vulnerabilities and prioritize the vulnerability remediation activities accordingly. To validate the efficacy and applicability of the proposed method, we have compared the IRCR metric with the state-of-the-art attack graph-based metrics such as cumulative attack probability, and cumulative attack resistance. Experimental results demonstrate that the proposed IRCR metric can be complementary to the current attack graph-based metrics in measuring the influential levels of exploitable vulnerabilities.