TY - GEN
T1 - Improved software vulnerability patching techniques using CVSS and game theory
AU - Maghrabi, Louai
AU - Pfluegel, Eckhard
AU - Al-Fagih, Luluwah
AU - Graf, Roman
AU - Settanni, Giuseppe
AU - Skopik, Florian
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/10/18
Y1 - 2017/10/18
N2 - Software vulnerability patching is a crucial part of vulnerability management and is informed by using effective vulnerability scoring techniques. The Common Vulnerability Scoring System (CVSS) provides an open framework for assessing the severity of software vulnerabilities based on metrics capturing their individual, intrinsic characteristics. In this paper, we enhance the use of CVSS for vulnerability scoring with the help of game theory by modelling an attacker-defender scenario and arguing that, under the assumption of rational behaviour of the players, an effective vulnerability patching strategy could be achieved with an optimal strategy, solving the game. We have implemented our strategies as new functionality in the software tool CAESAIR [1]. This research builds on our previous work [2], where we have used CVSS to inform the design of the utility functions, by performing the Nash equilibrium analysis of the game. Our findings may result in more accurate defence strategies for system administrators.
AB - Software vulnerability patching is a crucial part of vulnerability management and is informed by using effective vulnerability scoring techniques. The Common Vulnerability Scoring System (CVSS) provides an open framework for assessing the severity of software vulnerabilities based on metrics capturing their individual, intrinsic characteristics. In this paper, we enhance the use of CVSS for vulnerability scoring with the help of game theory by modelling an attacker-defender scenario and arguing that, under the assumption of rational behaviour of the players, an effective vulnerability patching strategy could be achieved with an optimal strategy, solving the game. We have implemented our strategies as new functionality in the software tool CAESAIR [1]. This research builds on our previous work [2], where we have used CVSS to inform the design of the utility functions, by performing the Nash equilibrium analysis of the game. Our findings may result in more accurate defence strategies for system administrators.
UR - http://www.scopus.com/inward/record.url?scp=85039968160&partnerID=8YFLogxK
U2 - 10.1109/CyberSecPODS.2017.8074856
DO - 10.1109/CyberSecPODS.2017.8074856
M3 - Conference contribution
AN - SCOPUS:85039968160
T3 - 2017 International Conference on Cyber Security And Protection Of Digital Services, Cyber Security 2017
BT - 2017 International Conference on Cyber Security And Protection Of Digital Services, Cyber Security 2017
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2017 International Conference on Cyber Security And Protection Of Digital Services, Cyber Security 2017
Y2 - 19 June 2017 through 20 June 2017
ER -