A Stochastic Model for Calculating Well-Founded Probabilities of Vulnerability Exploitation

Abstract

To efficiently manage security risks of network systems, vulnerabilities in the systems need to be assessed to determine their severity or priority. The Bayesian attack graph (BAG) is a risk analysis model that takes into account the probabilities of vulnerability exploitation (exploit probabilities) and their dependencies to calculate the probabilities that specific assets are compromised (compromise probabilities) in a system. In many BAG analysis methods, an exploit probability is obtained assuming that it strongly correlates with base metrics of the Common Vulnerability Scoring System (CVSS) assigned to the corresponding vulnerability. However, the authors found that this assumption does not necessarily hold, and thus the accuracy of compromise probabilities estimated by these methods may be impaired. Therefore, this paper proposes the exploit time probability (ETP)-model to calculate well-founded exploit probabilities on the basis of empirical data on vulnerabilities and exploits. The model uses Weibull distributions to approximate the probability distribution of the time between the publication of a vulnerability to the National Vulnerability Database (NVD) and its exploitation. Finally, by applying the ETP-model to a test network, the model is shown to be able to provide reasonable exploit probabilities and be a fundamental technique to improve the accuracy of existing BAG analysis methods.