Affiliations: [a] Concordia Institute for Information Systems Engineering, Concordia University, Quebec, Canada. E-mails: d_borbor@ciise.concordia.ca, wang@ciise.concordia.ca | [b] Center for Secure Information Systems, George Mason University, MD, USA. E-mail: jajodia@gmu.edu | [c] Computer Security Division, National Institute of Standards and Technology, VA, USA. E-mail: anoop.singhal@nist.gov
Abstract: The administrators of a mission critical network usually have to worry about non-traditional threats, e.g., how to live with known, but unpatchable vulnerabilities, and how to improve the network’s resilience against potentially unknown vulnerabilities. To this end, network hardening is a well-known preventive security solution that aims to improve network security by taking proactive actions, namely, hardening options. However, most existing network hardening approaches rely on a single hardening option, such as disabling unnecessary services, which becomes less effective when it comes to dealing with unknown and unpatchable vulnerabilities. There lacks a heterogeneous approach that can combine different hardening options in an optimal way to deal with both unknown and unpatchable vulnerabilities. In this paper, we propose such an approach by unifying multiple hardening options, such as service diversification, firewall rule modification, adding, removing, and relocating network resources, and access control, all under the same model. We then apply security metrics designed for evaluating network resilience against unknown and unpatchable vulnerabilities, and consequently derive optimal solutions to maximize security under given cost constraints. Finally, we study the effectiveness of our solution against unpatchable vulnerabilities through simulations.
