Abstract
Security and risk assessment aims to prioritize detected vulnerabilities for remediation in a computer networking system. The widely used expert-based risk prioritization approach, e.g., Common Vulnerability Scoring System (CVSS), cannot realistically associate vulnerabilities to the likelihood of exploitation. The CVSS metrics are calculated from static formulas, and cannot easily integrate attackers' motivations and capabilities w.r.t. the network environmental factors. To address this issue, this paper proposes LICALITY, a vulnerability risk prioritization system. LICALITY captures the attacker's preference on exploiting vulnerabilities through a threat modeling method, and learns threat attributes that contribute to the exploitation of vulnerability. LICALITY creatively uses a neuro-symbolic model, with neural network (NN) and probabilistic logic programming (PLP) techniques, to learn such threat attributes. The risk of vulnerability is assessed from the criticality of exploitation and the likelihood of exploitation. LICALITY consolidates these two measurements by using a logic reasoning engine. In the evaluation, the historical threat and future threat are from real attack scenarios. The results reveal that LICALITY reduces the vulnerability remediation work of the future threat required by the CVSS by a factor of 2.89 in the first case study and by a factor of 1.85 in the second case study. Such future threats are identified as the top routinely exploited vulnerabilities and the APT attack chained vulnerabilities reported in the Cybersecurity and Infrastructure Security Agency (CISA) alerts.
Original language | English (US) |
---|---|
Pages (from-to) | 1746-1760 |
Number of pages | 15 |
Journal | IEEE Transactions on Network and Service Management |
Volume | 19 |
Issue number | 2 |
DOIs | |
State | Published - Jun 1 2022 |
Keywords
- Logical reasoning
- Neural network
- Neuro-symbolic
- Risk prioritization
- Threat model
- Vulnerability management
ASJC Scopus subject areas
- Computer Networks and Communications
- Electrical and Electronic Engineering