Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs

Yuning Jiang, Nay Oo, Qiaoran Meng, Hoon Wei Lim, Biplab Sikdar

TL;DR

VulRG presents a graph-based framework for multi-level vulnerability patch prioritization in complex, interconnected systems. By constructing a network communication graph and a system dependence graph, it enables dynamic risk aggregation across components, assets, and the entire system, integrating CVSS, EPSS, exploit data, and threat intelligence. The approach yields context-aware patch rankings with enhanced explainability and adaptability, validated through enterprise network case studies and three benchmarked scenarios (OpenPLC, network environment, and ICS). This framework advances vulnerability management by capturing attack paths, risk propagation, and asset criticality to optimize security resource allocation in real-world settings. The study demonstrates improved accuracy and interpretability over CVSS-based methods and outlines future work on real-time threat intelligence and broader domain deployment.

Abstract

As interconnected systems proliferate, safeguarding complex infrastructures against an escalating array of cyber threats has become an urgent challenge. The increasing number of vulnerabilities, combined with resource constraints, makes addressing every vulnerability impractical, making effective prioritization essential. However, existing risk prioritization methods often rely on expert judgment or focus solely on exploit likelihood and consequences, lacking the granularity and adaptability needed for complex systems. This work introduces a graph-based framework for vulnerability patch prioritization that optimizes security by integrating diverse data sources and metrics into a universally applicable model. Refined risk metrics enable detailed assessments at the component, asset, and system levels. The framework employs two key graphs: a network communication graph to model potential attack paths and identify the shortest routes to critical assets, and a system dependency graph to capture risk propagation from exploited vulnerabilities across interconnected components. Asset criticality and component dependency rules systematically assess and mitigate risks. Benchmarking against state-of-the-art methods demonstrates superior accuracy in vulnerability patch ranking, with enhanced explainability. This framework advances vulnerability management and sets the stage for future research in adaptive cybersecurity strategies.

VulRG: Multi-Level Explainable Vulnerability Patch Ranking for Complex Systems Using Graphs

TL;DR

VulRG presents a graph-based framework for multi-level vulnerability patch prioritization in complex, interconnected systems. By constructing a network communication graph and a system dependence graph, it enables dynamic risk aggregation across components, assets, and the entire system, integrating CVSS, EPSS, exploit data, and threat intelligence. The approach yields context-aware patch rankings with enhanced explainability and adaptability, validated through enterprise network case studies and three benchmarked scenarios (OpenPLC, network environment, and ICS). This framework advances vulnerability management by capturing attack paths, risk propagation, and asset criticality to optimize security resource allocation in real-world settings. The study demonstrates improved accuracy and interpretability over CVSS-based methods and outlines future work on real-time threat intelligence and broader domain deployment.

Abstract

As interconnected systems proliferate, safeguarding complex infrastructures against an escalating array of cyber threats has become an urgent challenge. The increasing number of vulnerabilities, combined with resource constraints, makes addressing every vulnerability impractical, making effective prioritization essential. However, existing risk prioritization methods often rely on expert judgment or focus solely on exploit likelihood and consequences, lacking the granularity and adaptability needed for complex systems. This work introduces a graph-based framework for vulnerability patch prioritization that optimizes security by integrating diverse data sources and metrics into a universally applicable model. Refined risk metrics enable detailed assessments at the component, asset, and system levels. The framework employs two key graphs: a network communication graph to model potential attack paths and identify the shortest routes to critical assets, and a system dependency graph to capture risk propagation from exploited vulnerabilities across interconnected components. Asset criticality and component dependency rules systematically assess and mitigate risks. Benchmarking against state-of-the-art methods demonstrates superior accuracy in vulnerability patch ranking, with enhanced explainability. This framework advances vulnerability management and sets the stage for future research in adaptive cybersecurity strategies.

Paper Structure

This paper contains 41 sections, 29 equations, 7 figures, 9 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Problem Statement
  3. Contributions
  4. Background
  5. CVSS and EPSS
  6. CVSS-Based Prioritization
  7. Prioritization Integrating Exploit Metrics
  8. Context-Aware Prioritization
  9. Research Gap
  10. Theoretical Definitions
  11. System, Host, Asset and Component
  12. System Graph Construction
  13. Component-Level Risk Aggregation
  14. Asset-Level Risk Aggregation
  15. System-Level Risk Aggregation
  16. ...and 26 more sections

Figures (7)

  • Figure 1: The framework of the graph-based risk aggregation approach.
  • Figure 2: Connections between system, asset and component.
  • Figure 3: Example scenario of an enterprise network configuration.
  • Figure 4: Example of network communication graph.
  • Figure 5: Example of dependency analysis.
  • ...and 2 more figures