From Exploit Prediction in the Wild to System-Specific Cyber Security Risk Metrics: Work in Progress

From Exploit Prediction in the Wild to System-Specific Cyber Security Risk Metrics: Work in Progress

연구 분야: Strategies

학회: CF '24: Proceedings of the 21st ACM International Conference on Computing Frontiers

System specific cyber security risk depends on the likelihoods of potential multi-step attacks that combine multiple vulnerabilities and the corresponding losses. These likelihoods are typically obtained under assumptions that exploits of individual vulnerabilities are statistically joint independent random events and the probabilities of these events can be estimated from the data on vulnerability exploits in the wild, e.g., using the Common Vulnerability Scoring System (CVSS). However, these assumptions, which do not account for the inherently adversarial nature of the attacker-defender interactions, may lead to significant inaccuracies in cyber risk estimation and thus result in highly inefficient risk mitigation decisions. We propose a framework for system-specific cyber security risk evaluation, which addresses some of these shortcomings of the conventional risk evaluation techniques by combining public information, e.g., obtained from CVSS, with private information which the system defender may be reluctant to disclose. In the proposed framework, public information on the vulnerability exploits in the wild determines system-specific cybersecurity risk envelope, and defender estimates system cyber security risk inside this envelope using the available private information on the former attacks.