Technology Highlight

Targeted Risk Prioritization to Improve Network Cyber Defense

An innovative technique enables cyber defenders to prioritize their mitigations to vulnerabilities attackers might be using to infiltrate a network.
Download PDF
Targeted Risk Prioritization to Improve Network Cyber Defense

Lincoln Laboratory developed an innovative technique enabling cyber analysts to prioritize efforts for mitigating software vulnerabilities that attackers may use to infiltrate a network. Applying natural language processing descriptions of vulnerabilities used in prior attacks, our method estimates the risk presented by specific vulnerabilities, helping alleviate the network defenders’ burden of trying to counter any of thousands of potential vulnerabilities.

Background

Reported software vulnerabilities threatening the security of computer systems number in the hundreds of thousands, and new vulnerabilities are discovered daily. Cybersecurity professionals tasked with defending enterprise networks run scans, looking for the presence of vulnerabilities documented in the National Vulnerability Database maintained by the National Institute of Standards and Technology. Each of these vulnerabilities is assigned a Common Vulnerability Scoring System (CVSS) value indicating the perceived severity of the vulnerability (lowest 0 to highest 10). Cyber defenders then typically prioritize vulnerability mitigations and/or patch deployments on the basis of high CVSS scores.

However, this approach, a time- and labor-intensive method, often results in ineffectual network defense. The vast number of known, potentially serious vulnerabilities discovered on a network makes it daunting to determine what resources to expend on which vulnerabilities. And, because CVSS scores quantify aggregated data from many and diverse sources, a score may not represent the risk to a particular network or from a specific type of attacker. For example, an attack on a commercial company most likely was perpetrated by actors and exploited vulnerabilities different from those involved in attacks on government networks.

Lincoln Laboratory Technique

We developed an approach that targets cyber-defense efforts to vulnerabilities most likely to be used against a network. Hypothesizing that attackers would employ strategies similar to those they used effectively in the past, we converted descriptive human assessments of vulnerabilities to numeric (vector) values and applied machine learning to classify vulnerabilities associated with different successful network infiltrations. These associations inform a risk-assessment scoring system that takes into account the particular networks attacked by specific actors. By improving the accuracy of tying vulnerabilities to likelihood of exploitation, this system gives cyber defenders a way to prioritize their countermeasures, leading to more secure networks while decreasing costs to their time and resources. Through several evaluations, our supervised-learning approach achieved better accuracy in predicting risks than approaches relying on CVSS scores.

Benefits

  • Algorithms can tailor the risk assessment to profiles of specific known attackers
  • Machine learning models are trained on attack data specific to a defended network
  • Algorithms can reprioritize vulnerabilities as new information on threat activity emerges

Additional Resources

U.S. Patent 11,036,865

More Information

K. Alperin et al., "Risk Prioritization by Leveraging Latent Vulnerability Features in a Contested Environment," Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security, 11 November 2019.