Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

HAL 9000: a Risk Manager for ITSs

Tadeu Freitas, Carlos Novo, Joao Soares, Ines Dutra, Manuel E. Correia, Behnam Shariati, Rolando Martins

TL;DR

The paper addresses how ITSs can tolerate intrusions while rapidly responding to newly disclosed vulnerabilities despite CVE backlog in public databases. HAL 9000 combines a vulnerability score predictor, CVE clustering, score reassessment that accounts for EPSS, and a Configurator to propose secure, resilient ITS configurations using OSINT, and it can predict CVSS scores for unrated CVEs to bypass NVD delays. Experiments show HAL can learn to replicate the NVD evaluation process with about 99% accuracy and outperform prior risk managers on security-resilience trade-offs, with sentence embeddings + OPTICS giving best results. The work demonstrates a practical path to faster, automated, threat-informed reconfiguration of ITSs, with future extensions including pentesting data integration and OSINT-source-outage handling.

Abstract

HAL 9000 is an Intrusion Tolerant Systems (ITSs) Risk Manager, which assesses configuration risks against potential intrusions. It utilizes gathered threat knowledge and remains operational, even in the absence of updated information. Based on its advice, the ITSs can dynamically and proactively adapt to recent threats to minimize and mitigate future intrusions from malicious adversaries. Our goal is to reduce the risk linked to the exploitation of recently uncovered vulnerabilities that have not been classified and/or do not have a script to reproduce the exploit, considering the potential that they may have already been exploited as zero-day exploits. Our experiments demonstrate that the proposed solution can effectively learn and replicate National Vulnerability Database's evaluation process with 99% accuracy.

HAL 9000: a Risk Manager for ITSs

TL;DR

The paper addresses how ITSs can tolerate intrusions while rapidly responding to newly disclosed vulnerabilities despite CVE backlog in public databases. HAL 9000 combines a vulnerability score predictor, CVE clustering, score reassessment that accounts for EPSS, and a Configurator to propose secure, resilient ITS configurations using OSINT, and it can predict CVSS scores for unrated CVEs to bypass NVD delays. Experiments show HAL can learn to replicate the NVD evaluation process with about 99% accuracy and outperform prior risk managers on security-resilience trade-offs, with sentence embeddings + OPTICS giving best results. The work demonstrates a practical path to faster, automated, threat-informed reconfiguration of ITSs, with future extensions including pentesting data integration and OSINT-source-outage handling.

Abstract

HAL 9000 is an Intrusion Tolerant Systems (ITSs) Risk Manager, which assesses configuration risks against potential intrusions. It utilizes gathered threat knowledge and remains operational, even in the absence of updated information. Based on its advice, the ITSs can dynamically and proactively adapt to recent threats to minimize and mitigate future intrusions from malicious adversaries. Our goal is to reduce the risk linked to the exploitation of recently uncovered vulnerabilities that have not been classified and/or do not have a script to reproduce the exploit, considering the potential that they may have already been exploited as zero-day exploits. Our experiments demonstrate that the proposed solution can effectively learn and replicate National Vulnerability Database's evaluation process with 99% accuracy.
Paper Structure (11 sections, 8 equations, 4 figures, 1 table)

This paper contains 11 sections, 8 equations, 4 figures, 1 table.

Table of Contents

  1. Introduction
  2. Related Work
  3. Risk Managers
  4. CVSS score prediction
  5. Text Document Clustering
  6. HAL 9000 Architecture
  7. HAL 9000 workflow
  8. Experiments
  9. Experimental setup
  10. Results and Discussion
  11. Conclusion

Figures (4)

  • Figure 1: HAL 9000 Architecture and workflow, along with the integration of an OSINT scrapper tool.
  • Figure 2: Evaluation of several clustering algorithms and subsequent effects on the HAL risk calculation (lower is better). In each algorithm two different approaches to preprocess data are applied, bag of words (bow) and sentence embeddings (emb).
  • Figure 3: Evaluation of the different Risk Managers, considering the level of security, i.e., the sum of the CVSS score of each CVE present in the advised configuration (lower is better).
  • Figure 4: Evaluation of the different Risk Managers, considering the level of resilience, i.e., the multiplication between the reassessed CVSS score of the common CVEs and respective EPSS score (by shared CVE or by clustering) present in the advised configuration (lower is better).