VPnet: A Vulnerability Prioritization Approach Using Pointer Network and Deep Reinforcement Learning

Vulnerability prioritization is becoming increasingly prominent in vulnerability management. The contradiction between mountains of vulnerability scan results and limited remediation resources is so stark that using severity scores and crude heuristics to prioritize vulnerabilities is overwhelmed. To implement better vulnerability management, this paper proposes a vulnerability prioritization approach using a pointer network and deep reinforcement learning, called VPnet. In VPnet, the objective of vulnerability prioritization is maximizing the total risk reduction in the target environment under limited resources. First, we transform vulnerability scan reports into a matrix. Each item in the matrix consists of a vulnerability risk and cost value. The former is quantified by combining severity, threat, impact, and asset criticality factors, and the latter is an estimate of the time required to patch a vulnerability. Then, we construct a pointer network that takes the matrix and a constraint value as inputs to output a priority vulnerability remediation plan. Furthermore, we use deep reinforcement learning to train the pointer network model parameter, since obtaining pointer network labels is computationally expensive. A novel method integrating imitation learning and autonomous learning is also devised to speed up the training process and produce a better model. The proposed approach VPnet is evaluated by generating simulated scenarios. Results show that our approach develops nearly optimal solutions in seconds under different scale scenarios and constraints, and achieves a 22.8% performance improvement in a practical example, indicating that our approach is effective while exhibiting flexibility and efficiency.