Prioritizing vulnerability patches in large networks

Amir Olswang, Tom Gonda, Rami Puzis, Guy Shani, Bracha Shapira, Noam Tractinsky

Expert Systems with Applications 193, 116467, 2022

We consider here the question of prioritizing the patching of security vulnerabilities to prevent network attacks. Patching all vulnerable machines at once in large modern organizations is not feasible due to the large scale of their networks and the inability to halt operation during maintenance. This article explores two aspects of security maintenance: a method for prioritizing vulnerability patches, and visualization of the priorities to aid in decision making. State-of-the-art methods rank vulnerabilities by analyzing the connectivity graph or the logical attack graph and present the results in a table form, a view of the organizational network with highlighted failure points, or even the complete attack graph, in either case flooding the human operator with a lot of hardly comprehensible information. We suggest a Network Topology Vulnerability Score (NTVS) which shows preferable results by ranking vulnerabilities in a …