Paper Info
Title
Pareto-Optimal Adversarial Defense of Enterprise Systems
Abstract
The National Vulnerability Database (NVD) maintained by the US National Institute of Standards and Technology provides valuable information about vulnerabilities in popular software, as well as any patches available to address these vulnerabilities. Most enterprise security managers today simply patch the most dangerous vulnerabilities—an adversary can thus easily compromise an enterprise by using less important vulnerabilities to penetrate an enterprise. In this article, we capture the vulnerabilities in an enterprise as a Vulnerability Dependency Graph (VDG) and show that attacks graphs can be expressed in them. We first ask the question: What set of vulnerabilities should an attacker exploit in order to maximize his expected impact? We show that this problem can be solved as an integer linear program. The defender would obviously like to minimize the impact of the worst-case attack mounted by the attacker—but the defender also has an obligation to ensure a high productivity within his enterprise. We propose an algorithm that finds a Pareto-optimal solution for the defender that allows him to simultaneously maximize productivity and minimize the cost of patching products on the enterprise network. We have implemented this framework and show that runtimes of our computations are all within acceptable time bounds even for large VDGs containing 30K edges and that the balance between productivity and impact of attacks is also acceptable.
Year
DOI
Venue
2015
10.1145/2699907
ACM Trans. Inf. Syst. Secur.
Keywords
DocType
Volume
adversarial models,computer security,enterprise systems,general
Journal
17
Issue
ISSN
Citations 
3
1094-9224
13
PageRank 
References 
Authors
0.69
29
5
Name
Order
Citations
PageRank
Edoardo Serra1244.03
Sushil Jajodia293751839.16
A. Pugliese311512.90
Antonino Rullo4456.48
V. S. Subrahmanian568641053.38