Related Papers

Below are some papers related to several categories of EPSS:

If you know of a paper that is missing from our list, feel free to send us the full citation and link at epss-chairs at

Attack Prediction

  1. S. Mathew, D. Britt, R. Giomundo, S. Upadhyaya, M. Sudit and A. Stotz, "Real-time multistage attack awareness through enhanced intrusion alert clustering," MILCOM 2005 - 2005 IEEE Military Communications Conference, Atlantic City, NJ, 2005, pp. 1801-1806 Vol. 3, doi: 10.1109/MILCOM.2005.1605934.
  2. D. S. Fava, S. R. Byers and S. J. Yang, "Projecting Cyberattacks Through Variable-Length Markov Models," in IEEE Transactions on Information Forensics and Security, vol. 3, no. 3, pp. 359-369, Sept. 2008, doi: 10.1109/TIFS.2008.924605.
  3. Bozorgi, Mehran, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker, (2010) Beyond Heuristics: Learning to Classify Vulnerabilities and Predict Exploits. Available at
  4. Paul A. Watters, Stephen McCombie, Robert Layton, Josef Pieprzyk, “Characterising and Predicting Cyberattacks Using the Cyber Attacker Model Profile (CAMP),” Journal of Money Laundering Control, Vol. 5, No. 4, 2012, pp. 430-441.
  5. Michel Edkrantz and Alan Said. Predicting cyber vulnerability exploits with machine learning. In SCAI, pages 48–57, 2015.
  6. Carl Sabottke, Octavian Suciu, and Tudor Dumitras, Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits. In 24th fUSENIXg Security Symposium (fUSENIXg Security 15), pages 1041–1056, 2015.
  7. M. Abdlhamed, K. Kifayat, Q. Shi, and W. Hurst, “A system for intrusion prediction in cloud computing”, in Proceedings of the International Conference on Internet of Things and Cloud Computing, ser. ICC ’16, New York, NY, USA: ACM, 2016, pp. 35:1–35:9.
  8. Valerii Lakhno, Svitlana Kazmirchuk, Yulia Kovalenko, Larisa Myrutenko, and Tetyana Okhrimenko, “Design of Adaptive System of Detection of Cyber-attacks, Based on the Model of Logical Procedures and the Coverage Matrices of Features”, East European Journal of Advanced Technology, Vol 3, No. 9, June 2016, pp. 30-38
  9. Leyla Bilge, Yufei Han, and Matteo Dell’Amico, “RiskTeller: Predicting the Risk of Cyber Incidents”, Session F2: Insights from Log(in)s CCS’17, October 30-November 3, 2017: Dallas, TX, USA.
  10. Fuertes, W.; Reyes, F.; Valladares, P.; Tapia, F.; Toulkeridis, T.; Pérez, E. An Integral Model to Provide Reactive and Proactive Services in an Academic CSIRT Based on Business Intelligence. Systems 2017, 5, 52.
  11. Hassan Halawa, Matei Ripeanu, Konstantin Beznosov, Baris Coskun, and Meizhu Liu. 2017. An Early Warning System for Suspicious Accounts. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec ’17). Association for Computing Machinery, New York, NY, USA, 51–52. DOI:
  12. Ahmet Okutan, Shanchieh Jay Yang, and Katie McConky, “Predicting Cyber Attacks with Bayesian Networks Using Unconventional Signals”, CISRC '17 Proceedings of the 12th Annual Conference on Cyber and Information Security Research, No. 13, 2017.
  13. D. Maimon, O. Babko-Malaya, R. Cathey and S. Hinton, "Re-thinking Online Offenders’ SKRAM: Individual Traits and Situational Motivations as Additional Risk Factors for Predicting Cyber Attacks," 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech), Orlando, FL, 2017, pp. 232-238, doi: 10.1109/DASC-PICom-DataCom-CyberSciTec.2017.50.
  14. A. Dalton, B. Dorr, L. Liang and K. Hollingshead, "Improving cyber-attack predictions through information foraging," 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, 2017, pp. 4642-4647, doi: 10.1109/BigData.2017.8258509.
  15. Mohammed Almukaynizi, Eric Nunes, Krishna Dharaiya, Manoj Senguttuvan, Jana Shakarian, and Paulo Shakarian. Proactive identification of exploits in the wild through vulnerability mentions online. In 2017 International Conference on Cyber Conflict (CyCon US), pages 82–88. IEEE, 2017.
  16. Abeshu and N. Chilamkurti, “Deep Learning: The Frontier for Distributed Attack Detection in Fog-to-Things Computing”, IEEE Communications Magazine, Vol. 56, No. 2, 2018, pp. 169-175.
  17. Palash Goyal, KSM Tozammel Hossain, Ashok Deb, Nazgol Tavabi, Nathan Bartley, Andres Abeliuk, Emilio Ferrara and Kristina Lerman, “Discovering Signals from Web Sources to Predict Cyber Attacks”, IEEE Systems, Vol. X, No. X, August, 2018.
  18. Husák, Martin & Koma´rkova, Jana & Bou-Harb, Elias & Celeda, Pavel. (2018). Survey of Attack Projection, Prediction, and Forecasting in Cyber Security. IEEE Communications Surveys & Tutorials. PP. 10.1109/COMST.2018.2871866.
  19. Hernandez-Suarez, Aldo & Sanchez-Perez, Gabriel & Toscano-Medina, Karina & Martinez-Hernandez, Victor & Perez-Meana, Hector & Olivares Mercado, Jesus & Sanchez, Victor. (2018). Social Sentiment Sensor in Twitter for Predicting Cyber-Attacks Using ℓ1 Regularization. Sensors. 18. 1380. 10.3390/s18051380.
  20. Allen D. Householder, Jeff Chrabaszcz, Trent Novelly, David Warren, Jonathan M. Spring, (2020), Historical Analysis of Exploit Availability Timelines, CERT/CC and Govini.

Software Exploitation, Patch Management

  1. Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., & Shostack, A. (2002, November). Timing the Application of Security Patches for Optimal Uptime. In LISA (Vol. 2, pp. 233-242).
  2. Arora, A., Telang, R., & Xu, H. (2008). Optimal policy for software vulnerability disclosure. Management Science, 54(4), 642-656.
  3. August, T., & Tunca, T. I. (2008). Let the pirates patch? an economic analysis of software security patch restrictions. Information Systems Research, 19(1), 48-70.
  4. Sam Ransbotham (2010), An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software, Ninth Workshop On The Economics Of Information Security, Boston, MA, June 2010,
  5. August, T., & Tunca, T. I. (2011). Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Science, 57(5), 934-959.
  6. Steve Beattie, Seth Arnold, Crispin Cowan, Perry Wagle, Chris Wright, and Adam Shostack. Timing the 12 application of security patches for optimal uptime. In LISA, volume 2, pages 233–242, 2002.
  7. Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are markets for vulnerabilities effective?. MIS Quarterly, 43-64.
  8. Dey, D., Lahiri, A., & Zhang, G. (2015). Optimal policies for security patch management. INFORMS Journal on Computing, 27(3), 462-477.
  9. August, T., Dao, D., & Kim, K. (2019). Market segmentation and software security: Pricing patching rights. Management Science. In Press.
  10. Kenna Security and Cyentia Institute. Prioritization to prediction, volume 3. Technical report, Kenna Security, July 2019.
  11. Allodi, L., and Massacci, F, (2014). Comparing Vulnerability Severity and Exploits Using Case-Control Studies. ACM Trans. Inf. Syst. Secur. 17, 1, Article 1 (August 2014), 20 pages. DOI:
  12. Allodi L. (2015) The Heavy Tails of Vulnerability Exploitation. In: Piessens F., Caballero J., Bielova N. (eds) Engineering Secure Software and Systems. ESSoS 2015. Lecture Notes in Computer Science, vol 8978. Springer, Cham.
  13. Allodi, L., Corradin, M., and Massacci, F, (2016), "Then and Now: On the Maturity of the Cybercrime Markets The Lesson That Black-Hat Marketeers Learned," in IEEE Transactions on Emerging Topics in Computing, vol. 4, no. 1, pp. 35-46, Jan.-March 2016, doi: 10.1109/TETC.2015.2397395.
  14. Allodi, L., (2017), Economic Factors of Vulnerability Trade and Exploitation. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). Association for Computing Machinery, New York, NY, USA, 1483–1499. DOI:
  15. Allodi, L. and Massacci, F. (2017), Security Events and Vulnerability Data for Cybersecurity Risk Estimation. Risk Analysis, 37: 1606–1627. doi:10.1111/risa.12864
  16. Allodi, L., Massacci, F. and Williams, J. (2021), The Work‐Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures. Risk Analysis.

Vulnerability Disclosure Policies, Timing

  1. Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management science, 51(5), 726-740.
  2. Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2007). Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Transactions on Software Engineering, 33(3), 171-185.
  3. Cavusoglu, H., H. Cavusoglu, and J. Zhang (2008). Security patch management: Share the burden or share the damage? Management Science 54(4), 657–670.
  4. Sabyasachi Mitra and Sam Ransbotham. The effects of vulnerability disclosure policy on the diffusion of security attacks. Information Systems Research, 26(3):565–584, 2015.
  5. Boechat, F., Ribas, G., Senos, L., Bicudo, M., Nogueira, M. S., de Aguiar, L. P., & Menasche, D. S. (2021). Is Vulnerability Report Confidence Redundant? Pitfalls Using Temporal Risk Scores. IEEE Security & Privacy, (01), 2-11.

Vulnerability Modeling

  1. Afsah Anwar, Ahmed Abusnaina, Songqing Chen, Frank Li, David Mohaisen, (2020) Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses, available at arXiv:2006.15074v1.
  2. Miranda, L., Vieira, D., de Aguiar, L. P., Menasche, D. S., Bicudo, M., Nogueira, M., ... & Lovat, E. (2021). On the Flow of Software Security Advisories. IEEE Transactions on Network and Service Management.

Modeling Techniques and Foundations

  1. Arthur E Hoerl and Robert W Kennard. Ridge regression: Biased estimation for nonorthogonal problems. Technometrics, 12(1):55–67, 1970.
  2. Chinchor, Nancy. (1992). MUC-4 evaluation metrics. Proceedings of the Fourth Message Understanding Conference. 22-29. 10.3115/1072064.1072067.
  3. Kubat, M & Matwin, Stan. (2000). Addressing the Curse of Imbalanced Training Sets: One-Sided Selection. Fourteenth International Conference on Machine Learning.
  4. Hui Zou and Trevor Hastie. Regularization and variable selection via the elastic net. Journal of the royal statistical society: series B (statistical methodology), 67(2):301–320, 2005.
  5. Rose, Stuart & Engel, Dave & Cramer, Nick & Cowley, Wendy. (2010). Automatic Keyword Extraction from Individual Documents. Text Mining: Applications and Theory. 1 - 20. 10.1002/9780470689646.ch1.
  6. Alfredo Vellido, José David Martín-Guerrero, and Paulo JG Lisboa. Making machine learning models interpretable. In ESANN, volume 12, pages 163–172. Citeseer, 2012.
  7. Federico Cabitza, Raffaele Rasoini, and Gian Franco Gensini. Unintended consequences of machine learning in medicine. Jama, 318(6):517–518, 2017.
  8. Jonathan H Chen and StevenMAsch. Machine learning and prediction in medicine—beyond the peak of inflated expectations. The New England journal of medicine, 376(26):2507, 2017
  9. Chen, T., Guestrin, C., (2016) XGBoost: A Scalable Tree Boosting System, KDD ’16, San Francisco, CA. Available at Last accessed February 16, 2019.
  10. Finale Doshi-Velez and Been Kim. Towards a rigorous science of interpretable machine learning. arXiv preprint arXiv:1702.08608, 2017.