Vulnerability Forecasting: In theory and practice
\'Eireann Leverett, Matilda Rhode, Adam Wedgbury
TL;DR
This paper demonstrates that it is feasible to accurately forecast the volume and characteristics of CVEs in advance, enabling more strategic patch management and vulnerability mitigation.
Contribution
It introduces methods to predict CVE volumes and attributes up to a year ahead with high accuracy, bridging theory and practical vulnerability management.
Findings
CVE volume can be predicted within 3% accuracy up to a year in advance.
Different algorithms excel at different forecast horizons.
Proportions of CVEs by vendor, software, or severity can also be estimated.
Abstract
Why wait for zero-days when you could predict them in advance? It is possible to predict the volume of CVEs released in the NVD as much as a year in advance. This can be done within 3 percent of the actual value, and different predictive algorithms perform well at different lookahead values. It is also possible to estimate the proportions of that total volumn belonging to specific vendors, software, CVSS scores, or vulnerability types. Strategic patch management should become much easier, with this uncertainty reduction.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.