Skip to Main Content
In this paper, we introduce a new scheme called SecureRank for prioritizing vulnerabilities to patch in computing systems/networks. This has become a key issue for IT infrastructures, as large numbers of vulnerabilities are continuously announced and IT administrators devote increasingly more resources to managing them. SecureRank prioritizes vulnerabilities and network nodes to patch based on the percentage of time a random attacker would spend trying to exploit them. Going beyond state-of-the-art approaches, SecureRank takes into account the network topology and potential node interactions in calculating their relative risk and priority. We define two metrics for the security of a network and use them to show how SecureRank outperforms key industry benchmarks in certain natural operational settings. We believe that these findings can be used as a starting point in exploring what defense strategies make sense given topology and attack strategy.