Abstract

Despite significant innovations in IT security products and research over the past 20 years, the information security field is still immature and struggling. Practitioners lack the ability to properly assess cyber risk, and decision-makers continue to be paralyzed by vulnerability scanners that overload their staff with mountains of scan results. In order to cope, firms prioritize vulnerability remediation using crude heuristics and limited data, though they are still too often breached by known vulnerabilities for which patches have existed for months or years. And so, the key challenge firms face is trying to identify a remediation strategy that best balances two competing forces. On one hand, it could attempt to patch all vulnerabilities on its network. While this would provide the greatest ‘coverage’ of vulnerabilities patched, it would inefficiently consume resources by fixing low-risk vulnerabilities. On the other hand, patching a few high-risk vulnerabilities would be highly ‘efficient’, but may leave the firm exposed to many other high-risk vulnerabilities. Using a large collection of multiple datasets together with machine learning techniques, we construct a series of vulnerability remediation strategies and compare how each perform in regard to trading off coverage and efficiency. We expand and improve upon the small body of literature that uses predictions of ‘published exploits’, by instead using ‘exploits in the wild’ as our outcome variable. We implement the machine learning models by classifying vulnerabilities according to high- and low-risk, where we consider high-risk vulnerabilities to be those that have been exploited in actual firm networks.

中文翻译：

---

通过更好的漏洞利用预测来改善漏洞修复

摘要

尽管在过去的20年中IT安全产品和研究领域进行了重大创新，但是信息安全领域仍处于不成熟和艰难的时期。从业者缺乏适当评估网络风险的能力，而决策者继续被漏洞扫描程序所瘫痪，漏洞扫描程序使他们的员工无法承受大量扫描结果。为了应对，公司使用粗略的启发式方法和有限的数据来优先考虑漏洞修复，尽管它们仍然经常被已知漏洞所破坏，而已知漏洞已经存在了数月或数年。因此，企业所面临的主要挑战是试图找到一种能够最佳地平衡两种竞争力量的补救策略。一方面，它可能试图修补其网络上的所有漏洞。虽然这将为修补的漏洞提供最大的“覆盖率”，它会通过修复低风险漏洞来低效率地消耗资源。另一方面，修补一些高风险漏洞会非常“有效”，但可能会使公司面临许多其他高风险漏洞。通过使用大量的多个数据集以及机器学习技术，我们构建了一系列漏洞修复策略，并比较了每种方法在权衡覆盖率和效率方面的表现。我们通过使用“公开的漏洞利用”的预测，而不是使用“野外漏洞利用”作为我们的结果变量，来扩展和改进一小部分文献。我们通过根据高风险和低风险对漏洞进行分类来实现机器学习模型，在这些模型中，我们认为高风险漏洞是在实际公司网络中利用的漏洞。