Patching vulnerabilities is one of the key activities in security management. For most commercial systems however the number of relevant vulnerabilities is very high; as a consequence only a subset of them can be actually fixed: due to bounded resources, choosing them according to some optimal criterium is a critical challenge for the security manager. One has also to take into account, though, that even delivering attacks on vulnerabilities requires a non-negligible effort: also a potential attacker will always be constrained by bounded resources. Choosing which vulnerabilities to attack according to some optimality criterium is also a difficult challenge for a hacker. Here we argue that if both types of players are rational, wishing to maximize their ROI and aware of the two sides of the problem, their respective strategies can be discussed more naturally within a Game Theory (GT) framework. We develop the fact that the above described attack/defense scenario can be mapped onto a variant of GT models known as Search Games: we call this variant Enhanced Vulnerability Patching game. Under the hypothesis of rationality of the players, GT provides a prediction for their behavior in terms of a probability distribution over the possible choices: this result can help in supporting a semi-automatic choice of patch management with constrained resources. In this work we model and solve few prototypical instances of this class of games and outline the path towards more realistic and accurate GT models.
A game theoretic approach to vulnerability patching / G. Gianini, M. Cremonini, A. Rainini, G. Lena Cota, L. Ghemmogne Fossi - In: 2015 International Conference on Information and Communication Technology Research (ICTRC)[s.l] : IEEE, 2015. - pp. 88-91 (( Intervento presentato al 1. convegno Information and Communication Technology Research (ICTRC), 2015 International Conference on tenutosi a Abu Dhabi nel 2015 [10.1109/ICTRC.2015.7156428].
A game theoretic approach to vulnerability patching
G. GianiniPrimo
;M. CremoniniSecondo
;G. Lena Cota;L. Ghemmogne Fossi
2015
Abstract
Patching vulnerabilities is one of the key activities in security management. For most commercial systems however the number of relevant vulnerabilities is very high; as a consequence only a subset of them can be actually fixed: due to bounded resources, choosing them according to some optimal criterium is a critical challenge for the security manager. One has also to take into account, though, that even delivering attacks on vulnerabilities requires a non-negligible effort: also a potential attacker will always be constrained by bounded resources. Choosing which vulnerabilities to attack according to some optimality criterium is also a difficult challenge for a hacker. Here we argue that if both types of players are rational, wishing to maximize their ROI and aware of the two sides of the problem, their respective strategies can be discussed more naturally within a Game Theory (GT) framework. We develop the fact that the above described attack/defense scenario can be mapped onto a variant of GT models known as Search Games: we call this variant Enhanced Vulnerability Patching game. Under the hypothesis of rationality of the players, GT provides a prediction for their behavior in terms of a probability distribution over the possible choices: this result can help in supporting a semi-automatic choice of patch management with constrained resources. In this work we model and solve few prototypical instances of this class of games and outline the path towards more realistic and accurate GT models.
| File | Dimensione | Formato | |
|---|---|---|---|
|
07156428.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
863.95 kB
Formato
Adobe PDF
|
863.95 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
