An integrated security hardening optimization for dynamic networks using security and availability modeling with multi-objective algorithm

The dynamicity of today's networks has created uncertainties for security administrators about the defense options to deploy. In this paper, we consider the administrator's challenge of selecting and deploying the best set of heterogeneous security hardening solutions for dynamic networks given multiple constraints (such as fixed budget, availability of hardening measures, performance degradation, non-patchable vulnerabilities, etc). The current state of the art does not focus on the dynamic characteristic of modern networks, where the effectiveness of defenses is affected by changes in the networks. Hence, we approach this challenge by developing an integrated method to effectively compute optimal defense solutions for dynamic networks given multiple objectives and constraints. The proposed approach works in the following five phases: (1) input/data collection, (2) model construction (using temporal-graph-based security model and Generalized Stochastic Petri Nets), (3) defense evaluator (based on security metrics), (4) Pareto optimal set evaluator (using Non dominated Sorting Genetic Algorithm), and (5) optimal solution evaluator (based on Weighted Sum Model). To demonstrate the feasibility of the proposed approach, we use a real-world case study while taking into account both the vulnerabilities that are patchable and non-patchable. We investigated the sensitivity of the model parameters based on the dynamic network, and the result showed a good result for values from 0.1-0.4 for the mutation probability while the crossover did not change for all the values. Furthermore, we compared the dynamic network optimization results to a static network and the evaluation shows that our proposed approach could aid a security administrator in selecting the best defense options to deploy for modern networks that are dynamic, with at least 75% and 62.50% of the defense Pareto points appearing in consecutive and in all network states, respectively. Moreover, it also provides an insight into the benefit of each defense option before the deployment.