Predictive Patch-Management Using Machine-Learning Risk Scoring
Keywords:
vulnerability management, risk scoring, CVE metadata, exploit intelligence, asset criticalityAbstract
In enterprise cybersecurity deployment of timely and risk-aligned patch is still a formidable challenge. The objective of this paper is to introduces a predictive patch-management framework using gradient-boosted machine learning methodology to corelate structured CVE metadata, unstructured external exploit information, and localised asset criticality. The risk score puts patches in order of how they will impact the business.
Downloads
References
M. Howard and D. LeBlanc, Writing Secure Code, 2nd ed. Redmond, WA, USA: Microsoft Press, 2003.
B. Bozorgi, L. Saul, S. Savage, and G. M. Voelker, "Beyond heuristics: Learning to classify vulnerabilities and predict exploits," in Proc. 16th ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining, Washington, DC, USA, 2010, pp. 105–114.
S. Sabottke, M. S. Suciu, and T. Dumitras, "Vulnerability disclosure in the age of social media: Exploiting Twitter for predicting real-world exploits," in Proc. 24th USENIX Security Symp. (USENIX Security ’15), Washington, DC, USA, 2015, pp. 1041–1056.
J. Corbett-Davies and D. M. Pennock, "Risk-based vulnerability prioritization using exploit prediction," in Proc. IEEE Int. Conf. Cybersecurity and Protection of Digital Services (Cybersecurity), 2019, pp. 1–8.
P. Mell, K. Scarfone, and S. Romanosky, "A complete guide to the common vulnerability scoring system version 2.0," MITRE Corporation, 2007.
L. Bilge and T. Dumitras, "Before we knew it: An empirical study of zero-day attacks in the real world," in Proc. ACM Conf. Comput. Commun. Secur. (CCS), 2012, pp. 833–844.
H. Howard, J. A. Shaffer, and L. Jones, "Challenges in enterprise patch management," IEEE Security & Privacy, vol. 17, no. 3, pp. 73–80, May-Jun. 2019.
N. H. Chau, D. D. Nguyen, and S. Kim, "Patch prioritization using vulnerability characteristics and exploit prediction," IEEE Access, vol. 8, pp. 120048–120060, 2020.
J. K. Kwon and M. W. Park, "An intelligent patch management system based on machine learning and asset criticality," J. Network and Computer Applications, vol. 169, 102756, May 2020.
T. M. Mitchell, Machine Learning. New York, NY, USA: McGraw-Hill, 1997.
T. Chen and C. Guestrin, "XGBoost: A scalable tree boosting system," in Proc. 22nd ACM SIGKDD Int. Conf. Knowl. Discovery Data Mining, San Francisco, CA, USA, 2016, pp. 785–794.
G. Ke et al., "LightGBM: A highly efficient gradient boosting decision tree," in Advances in Neural Information Processing Systems (NeurIPS), 2017, pp. 3146–3154.
S. Lundberg and S.-I. Lee, "A unified approach to interpreting model predictions," in Advances in Neural Information Processing Systems, 2017, pp. 4765–4774.
A. Sharma and P. S. Rajpoot, "Exploit prediction for vulnerability prioritization: A survey," Computers & Security, vol. 109, 102400, Sep. 2021.
M. V. Moreno et al., "Context-aware vulnerability risk scoring for enterprise IT," in Proc. IEEE Int. Conf. Cloud Computing Technology and Science (CloudCom), 2021, pp. 34–41.
S. E. Coull, A. C. Morcos, and S. Savage, "Cluster: A system for scalable exploitation detection," Proc. IEEE Symp. Security and Privacy, 2018, pp. 1–16.
M. Alazab, S. Venkatraman, and M. Alazab, "Dark web data analytics for cyber threat intelligence," IEEE Trans. Dependable and Secure Computing, vol. 18, no. 4, pp. 1787–1798, Jul.-Aug. 2021.
C. Wang et al., "Enterprise patch scheduling under SLAs and business constraints," in Proc. IEEE Int. Conf. Cloud Engineering (IC2E), 2022, pp. 127–136.
J. N. Huh et al., "Automated patch scheduling for reducing vulnerability exposure in enterprise networks," Computers & Security, vol. 99, 102022, Dec. 2020.
M. L. Mazurek et al., "A large-scale analysis of vulnerability remediation practices," Proc. USENIX Security Symposium, 2018, pp. 1027–1044.
