Vulnerability-Aware Resilient Networks: Software Diversity-based Network Adaptation

TL;DR

This paper introduces a vulnerability-aware network adaptation scheme based on software diversity, which enhances security while maintaining connectivity by selectively modifying network edges according to software vulnerabilities.

Contribution

It proposes a novel vulnerability-based software diversity metric and an adaptation scheme that optimizes network security through edge modifications, validated by extensive experiments.

Findings

Outperforms baseline schemes in real network experiments

Effective across different network densities and topologies

Improves security without sacrificing network connectivity

Abstract

By leveraging the principle of software polyculture to ensure security in a network, we proposed a vulnerability-based software diversity metric to determine how a network topology can be adapted to minimize security vulnerability while maintaining maximum network connectivity. Our proposed software diversity-based adaptation (SDA) scheme estimates a node's software diversity based on the vulnerabilities of software packages installed on other nodes on attack paths reachable to the node and employs it for edge adaptations, such as removing an edge with a neighboring node that exposes high security vulnerability because two connected nodes use the same software packages or a neighboring node may have high software vulnerability or adding an edge with another node with less or no security vulnerability because the two nodes use different software packages or have low vulnerabilities associated with them. To validate the proposed SDA scheme, we conducted extensive experiments comparing the proposed SDA scheme with counterpart baseline schemes in real networks. Our simulation experimental results proved the outperformance of our proposed SDA compared to the existing counterparts and provided insightful findings in terms of the effectiveness and efficiency of the proposed SDA scheme under three real network topologies with vastly different network density.