A Vulnerability Assessment Method for Network System Based on Cooperative Game Theory

It is very important for administrators to understand the severity of vulnerabilities in network systems. Although many systems such as CVSS can evaluate individual vulnerabilities, they do not take into account the specific environment, so the results are not helpful. In our paper, we construct a vulnerability dependency graph by modeling the complex dependencies between vulnerabilities, and introduce the Shapley value in the cooperative game. We consider an attack path as a cooperation between the vulnerability nodes, and use Access Complexity as the attack cost of each node, define the characteristic function in the cooperative. Finally, according to the Shapley value of each node, all the vulnerabilities are ranked, and the administrator can patch the high-rank vulnerabilities with the limited security resources. Our experimental results demonstrate that show that our method can more effectively assess the severity of vulnerabilities in specific environments.

[1]  Xinming Ou,et al.  Identifying Critical Attack Assets in Dependency Attack Graphs , 2008, ESORICS.

[2]  Ting Yu,et al.  VRank: A Context-Aware Approach to Vulnerability Scoring and Ranking in SOA , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[3]  L. Shapley A Value for n-person Games , 1988 .

[4]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[5]  Nicholas Bambos,et al.  SecureRank: A Risk-Based Vulnerability Management Scheme for Computing Infrastructures , 2007, 2007 IEEE International Conference on Communications.

[6]  Xiaotie Deng,et al.  On the Complexity of Cooperative Solution Concepts , 1994, Math. Oper. Res..

[7]  Talal Rahwan,et al.  Efficient algorithms for game-theoretic betweenness centrality , 2016, Artif. Intell..

[8]  Rayford B. Vaughn,et al.  An Approach to Model Network Exploitations Using Exploitation Graphs , 2006, Simul..

[9]  Daniel Gómez,et al.  Polynomial calculation of the Shapley value based on sampling , 2009, Comput. Oper. Res..

[10]  Karl Aberer,et al.  A Non-Intrusive and Context-Based Vulnerability Scoring Framework for Cloud Services , 2016, ArXiv.

[11]  Albert,et al.  Emergence of scaling in random networks , 1999, Science.

[12]  Nicholas R. Jennings,et al.  Computational Analysis of Connectivity Games with Applications to the Investigation of Terrorist Networks , 2013, IJCAI.

[13]  Xia Yang,et al.  Vulnerability ranking based on exploitation and defense graph , 2010, 2010 International Conference on Information, Networking and Automation (ICINA).

[14]  Xiaofeng Qiu,et al.  NodeRank: An Algorithm to Assess State Enumeration Attack Graphs , 2012, 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing.