Securing Networks Against Unpatchable and Unknown Vulnerabilities Using Heterogeneous Hardening Options

The administrators of a mission critical network usually have to worry about non-traditional threats, e.g., how to live with known, but unpatchable vul­ nerabilities, and how to improve the network’s resilience against potentially un­ known vulnerabilities. To this end, network hardening is a well known preven­ tive security solution that aims to improve network security by taking proactive actions, namely, hardening options. However, most existing network hardening approaches rely on a single hardening option, such as disabling unnecessary ser­ vices, which becomes less effective when it comes to dealing with unknown and unpatchable vulnerabilities. There lacks a heterogeneous approach that can com­ bine different hardening options in an optimal way to deal with both unknown and unpatchable vulnerabilities. In this paper, we propose such an approach by unifying multiple hardening options, such as firewall rule modification, disabling services, service diversification, and access control, under the same model. We then apply security metrics designed for evaluating network resilience against unknown and unpatchable vulnerabilities, and consequently derive optimal hard­ ening solutions that maximize security under given cost constraints.