Securing Networks Against Unpatchable and Unknown Vulnerabilities Using Heterogeneous Hardening Options

  • Daniel BorborEmail author
  • Lingyu Wang
  • Sushil Jajodia
  • Anoop Singhal
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10359)


The administrators of a mission critical network usually have to worry about non-traditional threats, e.g., how to live with known, but unpatchable vulnerabilities, and how to improve the network’s resilience against potentially unknown vulnerabilities. To this end, network hardening is a well-knowfn preventive security solution that aims to improve network security by taking proactive actions, namely, hardening options. However, most existing network hardening approaches rely on a single hardening option, such as disabling unnecessary services, which becomes less effective when it comes to dealing with unknown and unpatchable vulnerabilities. There lacks a heterogeneous approach that can combine different hardening options in an optimal way to deal with both unknown and unpatchable vulnerabilities. In this paper, we propose such an approach by unifying multiple hardening options, such as firewall rule modification, disabling services, service diversification, and access control, under the same model. We then apply security metrics designed for evaluating network resilience against unknown and unpatchable vulnerabilities, and consequently derive optimal hardening solutions that maximize security under given cost constraints.


Unknown Vulnerabilities Hardening Options Heterogeneous Hardness Firewall Rules Unpatched Vulnerabilities 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors thank the anonymous reviewers for their valuable comments. Authors with Concordia University were partially supported by the Natural Sciences and Engineering Research Council of Canada under Discovery Grant N01035. Sushil Jajodia was supported in part by the National Science Foundation under grant IIP-1266147; by the Army Research Office under grants W911NF-13-1-0421 and W911NF-13-1-0317; and by the Office of Naval Research under grants N00014-15-1-2007 and N00014-13-1-0703.


  1. 1.
    Albanese, M., Jajodia, S., Noel, S.: Time-efficient and cost-effective network hardening using attack graphs. In: 2012 42nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 1–12. IEEE (2012)Google Scholar
  2. 2.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 217–224. ACM (2002)Google Scholar
  3. 3.
    Avizienis, A., Chen, L.: On the implementation of n-version programming for software fault tolerance during execution. In: Proceedings of IEEE COMPSAC, vol. 77, pp. 149–155 (1977)Google Scholar
  4. 4.
    Md Azamathulla, H., Wu, F.C., Ab Ghani, A., Narulkar, S.M., Zakaria, N.A., Chang, C.K.: Comparison between genetic algorithm and linear programming approach for real time operation. J. Hydro Environ. Res. 2(3), 172–181 (2008)CrossRefGoogle Scholar
  5. 5.
    Bakshi, K.: CISCO cloud computing-data center strategy, architecture, and solutions. CISCO White Paper (2009). Accessed 13 Oct 2010Google Scholar
  6. 6.
    Borbor, D., Wang, L., Jajodia, S., Singhal, A.: Diversifying network services under cost constraints for better resilience against unknown attacks. In: Ranise, S., Swarup, V. (eds.) DBSec 2016. LNCS, vol. 9766, pp. 295–312. Springer, Cham (2016). doi: 10.1007/978-3-319-41483-6_21 CrossRefGoogle Scholar
  7. 7.
    Cox, B., Evans, D., Filipi, A., Rowanhill, J., Wei, H., Davidson, J., Knight, J., Nguyen-Tuong, A., Hiser, J.: N-variant systems: a secretless framework for security through diversity. In: USENIX Security, vol. 6, pp. 105–120 (2006)Google Scholar
  8. 8.
    Deb, K.: An efficient constraint handling method for genetic algorithms. Comput. Methods Appl. Mech. Eng. 186(2), 311–338 (2000)CrossRefzbMATHGoogle Scholar
  9. 9.
    Dewri, R., Poolsappasit, N., Ray, I., Whitley, D.: Optimal security hardening using multi-objective optimization on attack tree models of networks. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 204–213. ACM (2007)Google Scholar
  10. 10.
    Dewri, R., Ray, I., Poolsappasit, N., Whitley, D.: Optimal security hardening on attack tree models of networks: a cost-benefit analysis. Int. J. Inf. Secur. 11(3), 167–188 (2012)CrossRefGoogle Scholar
  11. 11.
    Fifield, T., Fleming, D., Gentle, A., Hochstein, L., Proulx, J., Toews, E. and Topjian, J.: OpenStack Operations Guide. O’Reilly Media, Inc. (2014)Google Scholar
  12. 12.
    Gao, D., Reiter, M.K., Song, D.: Behavioral distance measurement using hidden Markov models. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 19–40. Springer, Heidelberg (2006). doi: 10.1007/11856214_2 CrossRefGoogle Scholar
  13. 13.
    Garcia, M., Bessani, A., Gashi, I., Neves, N., Obelheiro, R.: OS diversity for intrusion tolerance: myth or reality? In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks (DSN), pp. 383–394. IEEE (2011)Google Scholar
  14. 14.
    Gupta, M., Rees, J., Chaturvedi, A., Chi, J.: Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decis. Support Syst. 41(3), 592–603 (2006)CrossRefGoogle Scholar
  15. 15.
    Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats: Issues, Approaches and Challenges. Kluwer Academic Publisher, New York (2003)Google Scholar
  16. 16.
    Krebs, B.: How many zero-days hit you today? (2013).
  17. 17.
    McHugh, J.: Quality of protection: measuring the unmeasurable? In Proceedings of the 2nd ACM workshop on Quality of protection, pp. 1–2. ACM (2006)Google Scholar
  18. 18.
    Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4(6), 85–89 (2006)CrossRefGoogle Scholar
  19. 19.
    Mieritz, L., Kirwin, B.: Defining gartner total cost of ownership (2005)Google Scholar
  20. 20.
    Apache mina project, October 2016.
  21. 21.
    Poolsappasit, N., Dewri, R., Ray, I.: Dynamic security risk management using Bayesian attack graphs. IEEE Trans. Dependable Secur. Comput. 9(1), 61–74 (2012)CrossRefGoogle Scholar
  22. 22.
    Ray, I., Poolsapassit, N.: Using attack trees to identify malicious attacks from authorized insiders. In: Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 231–246. Springer, Heidelberg (2005). doi: 10.1007/11555827_14 CrossRefGoogle Scholar
  23. 23.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and privacy, pp. 273–284. IEEE (2002)Google Scholar
  24. 24.
    Wang, L., Albanese, M., Jajodia, S.: Network Hardening: An Automated Approach to Improving Network Security. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  25. 25.
    Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-zero day safety: a network security metric for measuring the risk of unknown vulnerabilities. IEEE Trans. Dependable Secur. Comput. 11(1), 30–44 (2014)CrossRefGoogle Scholar
  26. 26.
    Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-15497-3_35 CrossRefGoogle Scholar
  27. 27.
    Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Compu. Commun. 29(18), 3812–3824 (2006)CrossRefGoogle Scholar
  28. 28.
    Wang, L., Singhal, A., Jajodia, S.: Measuring the overall security of network configurations using attack graphs. In: Barker, S., Ahn, G.-J. (eds.) DBSec 2007. LNCS, vol. 4602, pp. 98–112. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-73538-0_9 CrossRefGoogle Scholar
  29. 29.
    Wang, L., Zhang, M., Jajodia, S., Singhal, A., Albanese, M.: Modeling network diversity for evaluating the robustness of networks against zero-day attacks. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8713, pp. 494–511. Springer, Cham (2014). doi: 10.1007/978-3-319-11212-1_28 Google Scholar
  30. 30.
    Wang, S., Zhang, Z., Kadobayashi, Y.: Exploring attack graph for cost-benefit security hardening: a probabilistic approach. Comput. Secur. 32, 158–169 (2013)CrossRefGoogle Scholar
  31. 31.
    Yigit, B., Gur, G., Alagoz, F.: Cost-aware network hardening with limited budget using compact attack graphs. In: 2014 IEEE Military Communications Conference (MILCOM), pp. 152–157. IEEE (2014)Google Scholar
  32. 32.
    Zhang, M., Wang, L., Jajodia, S., Singhal, A., Albanese, M.: Network diversity: a security metric for evaluating the resilience of networks against zero-day attacks. IEEE Trans. Inf. Forensics Secur. (TIFS) 11(5), 1071–1086 (2016)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2017

Authors and Affiliations

  • Daniel Borbor
    • 1
    Email author
  • Lingyu Wang
    • 1
  • Sushil Jajodia
    • 2
  • Anoop Singhal
    • 3
  1. 1.Concordia Institute for Information Systems EngineeringConcordia UniversityMontrealCanada
  2. 2.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA
  3. 3.Computer Security DivisionNational Institute of Standards and TechnologyGaithersburgUSA

Personalised recommendations