Vulnerability Forecasting: Theory and Practice

Abstract: It is possible to forecast the volume of CVEs released within a time frame with a given prediction interval. For example, the number of CVEs published between now and 365 days from now can be predicted a year in advance within 8% of the actual value. Different predictive algorithms perform well at different lookahead values other than 365 days, such as monthly, quarterly, and half year. It is also possible to estimate the proportions of that total volume belonging to specific vendors, software, CVSS scores, or… Show more

“…Furthermore, we tried to maintain a balance between open-and closedsource software. Finally, these projects have been extensively used in the related literature for vulnerability analysis, prediction, and forecasting tasks [12][13][14]18]. After selecting the software projects covered in our analysis, we proceeded with collecting their corresponding vulnerability datasets from the NVD repository, starting from the first day of their release up until the latest available record by the end of 2021.…”

“…The majority of these algorithms are time series models that keep track of all the vulnerabilities in terms of calendar time and interpret that time as an independent variable [11]. Statistical models such as Autoregressive Integrated Moving Average (ARIMA), Croston's method, logistic regression, and exponential smoothing models have attracted the interest of the researchers in the field [12,13]. Machine Learning (ML) models have been considered as well.…”

“…In their study, they focused on the prediction of the digital currency price through time. Recent studies have introduced DL models as predictors capable of modelling the evolution of the vulnerabilities number in time [12,17]. Despite the existing attempts, a lack in the literature of a thorough DL analysis for vulnerability forecasting was noticed.…”

“…Despite the existing attempts, a lack in the literature of a thorough DL analysis for vulnerability forecasting was noticed. In fact, although the existing studies [12,14,18] use neural networks to forecast the vulnerabilities number, their predictive capacity has not been thoroughly studied. Gencer et al [17] recently conducted a more in-depth analysis, by considering several DL algorithms; however, they focused only on Android systems.…”

“…To sum up, in comparison with the state-of-the-art approaches, our contribution is primarily that we proceeded to the first thorough investigation of the capacity of DL in forecasting the number of vulnerabilities for a specific project in a future timestep, and subsequently that we performed an in-depth comparison between statistical and DL methods for the task of vulnerability forecasting. Most studies in the field examine traditional statistical time-series models [8,9,11,13] while few of them also examine ML models [12,14] or they just include in their analysis a kind of neural network, without proceeding with an in-depth analysis of DL models [12]. The only known work being closely related to ours that attempts to address the aforementioned issues is the work conducted by Gencer et al [17].…”

Time Series Forecasting of Software Vulnerabilities Using Statistical and Deep Learning Models

“…Furthermore, we tried to maintain a balance between open-and closedsource software. Finally, these projects have been extensively used in the related literature for vulnerability analysis, prediction, and forecasting tasks [12][13][14]18]. After selecting the software projects covered in our analysis, we proceeded with collecting their corresponding vulnerability datasets from the NVD repository, starting from the first day of their release up until the latest available record by the end of 2021.…”

“…The majority of these algorithms are time series models that keep track of all the vulnerabilities in terms of calendar time and interpret that time as an independent variable [11]. Statistical models such as Autoregressive Integrated Moving Average (ARIMA), Croston's method, logistic regression, and exponential smoothing models have attracted the interest of the researchers in the field [12,13]. Machine Learning (ML) models have been considered as well.…”

“…In their study, they focused on the prediction of the digital currency price through time. Recent studies have introduced DL models as predictors capable of modelling the evolution of the vulnerabilities number in time [12,17]. Despite the existing attempts, a lack in the literature of a thorough DL analysis for vulnerability forecasting was noticed.…”

“…Despite the existing attempts, a lack in the literature of a thorough DL analysis for vulnerability forecasting was noticed. In fact, although the existing studies [12,14,18] use neural networks to forecast the vulnerabilities number, their predictive capacity has not been thoroughly studied. Gencer et al [17] recently conducted a more in-depth analysis, by considering several DL algorithms; however, they focused only on Android systems.…”

“…To sum up, in comparison with the state-of-the-art approaches, our contribution is primarily that we proceeded to the first thorough investigation of the capacity of DL in forecasting the number of vulnerabilities for a specific project in a future timestep, and subsequently that we performed an in-depth comparison between statistical and DL methods for the task of vulnerability forecasting. Most studies in the field examine traditional statistical time-series models [8,9,11,13] while few of them also examine ML models [12,14] or they just include in their analysis a kind of neural network, without proceeding with an in-depth analysis of DL models [12]. The only known work being closely related to ours that attempts to address the aforementioned issues is the work conducted by Gencer et al [17].…”

Time Series Forecasting of Software Vulnerabilities Using Statistical and Deep Learning Models

Patchy incentives: using law to encourage effective vulnerability response

ARCS-R: Mission Critical Combined Reliability and Cybersecurity Systems Engineering Analysis