Patching vulnerabilities is one of the key activities in security management. For most commercial systems however the number of relevant vulnerabilities is very high; as a consequence only a subset of them can be actually fixed: due to bounded resources, choosing them according to some optimal criterium is a critical challenge for the security manager. One has also to take into account, though, that even delivering attacks on vulnerabilities requires a non-negligible effort: also a potential attacker will always be constrained by bounded resources. Choosing which vulnerabilities to attack according to some optimality criterium is also a difficult challenge for a hacker. Here we argue that if both types of players are rational, wishing to maximize their ROI and aware of the two sides of the problem, their respective strategies can be discussed more naturally within a Game Theory (GT) framework. We develop the fact that the above described attack/defense scenario can be mapped onto a variant of GT models known as Search Games: we call this variant Enhanced Vulnerability Patching game. Under the hypothesis of rationality of the players, GT provides a prediction for their behavior in terms of a probability distribution over the possible choices: this result can help in supporting a semi-automatic choice of patch management with constrained resources. In this work we model and solve few prototypical instances of this class of games and outline the path towards more realistic and accurate GT models.
A game theoretic approach to vulnerability patching / G. Gianini, M. Cremonini, A. Rainini, G. Lena Cota, L. Ghemmogne Fossi - In: Information and Communication Technology Research (ICTRC), 2015 International Conference on[s.l] : IEEE, 2015. - pp. 88-91 (( Intervento presentato al 1. convegno Information and Communication Technology Research (ICTRC), 2015 International Conference on tenutosi a Abu Dhabi nel 2015.
|Titolo:||A game theoretic approach to vulnerability patching|
GIANINI, GABRIELE (Primo)
CREMONINI, MARCO (Secondo)
|Parole Chiave:||Vulnerability Patching, Game Theory|
|Settore Scientifico Disciplinare:||Settore INF/01 - Informatica|
Settore ING-INF/05 - Sistemi di Elaborazione delle Informazioni
|Data di pubblicazione:||2015|
|Digital Object Identifier (DOI):||http://dx.doi.org/10.1109/ICTRC.2015.7156428|
|Tipologia:||Book Part (author)|
|Appare nelle tipologie:||03 - Contributo in volume|