Modeling Sparse and Bursty Vulnerability Sightings: Forecasting Under Data Constraints

TL;DR

This paper explores various statistical and machine learning models to forecast sparse, bursty vulnerability sightings, highlighting the challenges and proposing practical solutions for cyber threat intelligence.

Contribution

It evaluates the effectiveness of SARIMAX, count-based models, and simple decay functions for short-term forecasting of vulnerability sightings under data constraints.

Findings

SARIMAX models are limited for sparse, bursty data.

Count-based models like Poisson regression offer more stable forecasts.

Exponential decay functions provide practical short-term estimates.

Abstract

Understanding and anticipating vulnerability-related activity is a major challenge in cyber threat intelligence. This work investigates whether vulnerability sightings, such as proof-of-concept releases, detection templates, or online discussions, can be forecast over time. Building on our earlier work on VLAI, a transformer-based model that predicts vulnerability severity from textual descriptions, we examine whether severity scores can improve time-series forecasting as exogenous variables. We evaluate several approaches for short-term forecasting of sightings per vulnerability. First, we test SARIMAX models with and without log(x+1) transformations and VLAI-derived severity inputs. Although these adjustments provide limited improvements, SARIMAX remains poorly suited to sparse, short, and bursty vulnerability data. In practice, forecasts often produce overly wide confidence intervals and sometimes unrealistic negative values. To better capture the discrete and event-driven nature of sightings, we then explore count-based methods such as Poisson regression. Early results show that these models produce more stable and interpretable forecasts, especially when sightings are aggregated weekly. We also discuss simpler operational alternatives, including exponential decay functions for short forecasting horizons, to estimate future activity without requiring long historical series. Overall, this study highlights both the potential and the limitations of forecasting rare and bursty cyber events, and provides practical guidance for integrating predictive analytics into vulnerability intelligence workflows.