Related Literature

Below are some papers related to several categories of EPSS:

If you know of a paper that is missing from our list, feel free to send us the full citation and link at epss-chairs at first.org

Vulnerability Exploit Prediction

  1. Bozorgi, Mehran, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker, (2010) Beyond Heuristics: Learning to Classify Vulnerabilities and Predict Exploits. Available at http://cseweb.ucsd.edu/~saul/papers/kdd10_exploit.pdf.
  2. Michel Edkrantz and Alan Said. Predicting cyber vulnerability exploits with machine learning. In SCAI, pages 48–57, 2015.
  3. Carl Sabottke, Octavian Suciu, and Tudor Dumitras, Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits. In 24th USENIX Security Symposium (USENIX Security 15), pages 1041–1056, 2015.
  4. Mohammed Almukaynizi, Eric Nunes, Krishna Dharaiya, Manoj Senguttuvan, Jana Shakarian, and Paulo Shakarian. Proactive identification of exploits in the wild through vulnerability mentions online. In 2017 International Conference on Cyber Conflict (CyCon US), pages 82–88. IEEE, 2017.
  5. Benjamin L. Bullough, Anna K. Yanchenko, Christopher L. Smith, and Joseph R. Zipkin. 2017. Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data. In Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics (IWSPA '17). Association for Computing Machinery, New York, NY, USA, 45–53. https://doi.org/10.1145/3041008.3041009a
  6. Reinthal, A., Filippakis, E.L., Almgren, M. (2018). Data Modelling for Predicting Exploits. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. https://doi.org/10.1007/978-3-030-03638-6_21
  7. Haipeng Chen, Rui Liu, Noseong Park, and V.S. Subrahmanian. 2019. Using Twitter to Predict When Vulnerabilities will be Exploited. In Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD '19). Association for Computing Machinery, New York, NY, USA, 3143–3152. https://doi.org/10.1145/3292500.3330742
  8. Nazgol Tavabi, Palash Goyal, Mohammed Almukaynizi, Paulo Shakarian, and Kristina Lerman. 2018. Darkembed: Exploit prediction with neural language models. In AAAI Conference on Innovative Applications of Artificial Intelligence (IAAI).
  9. Chaowei Xiao, Armin Sarabi, Yang Liu, Bo Li, Mingyan Liu, and Tudor Dumitras. 2018. From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild. In 27th {USENIX} Security Symposium ({USENIX} Security’18). 903–918.
  10. Kenneth Alperin, Allan Wollaber, Dennis Ross, Pierre Trepagnier, and Leslie Leonard. 2019. Risk Prioritization by Leveraging Latent Vulnerability Features in a Contested Environment. In Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security (AISec'19). Association for Computing Machinery, New York, NY, USA, 49–57. https://doi.org/10.1145/3338501.3357365
  11. Fang Y, Liu Y, Huang C, Liu L. FastEmbed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm. PLoS One. 2020 Feb 6;15(2):e0228439. doi: 10.1371/journal.pone.0228439. PMID: 32027693; PMCID: PMC7004314.
  12. Hoque, Mohammad Shamsul, Norziana Jamil, Nowshad Amin and Kwok-Yan Lam. “An Improved Vulnerability Exploitation Prediction Model with Novel Cost Function and Custom Trained Word Vector Embedding.” Sensors (Basel, Switzerland) 21 (2021): n. Pag.
  13. Bhatt, N, Anand, A, Yadavalli, VSS. Exploitability prediction of software vulnerabilities. Qual Reliab Engng Int. 2021; 37: 648– 663. https://doi.org/10.1002/qre.2754

Attack Prediction

  1. S. Mathew, D. Britt, R. Giomundo, S. Upadhyaya, M. Sudit and A. Stotz, "Real-time multistage attack awareness through enhanced intrusion alert clustering," MILCOM 2005 - 2005 IEEE Military Communications Conference, Atlantic City, NJ, 2005, pp. 1801-1806 Vol. 3, doi: 10.1109/MILCOM.2005.1605934.
  2. D. S. Fava, S. R. Byers and S. J. Yang, "Projecting Cyberattacks Through Variable-Length Markov Models," in IEEE Transactions on Information Forensics and Security, vol. 3, no. 3, pp. 359-369, Sept. 2008, doi: 10.1109/TIFS.2008.924605.
  3. Paul A. Watters, Stephen McCombie, Robert Layton, Josef Pieprzyk, “Characterising and Predicting Cyberattacks Using the Cyber Attacker Model Profile (CAMP),” Journal of Money Laundering Control, Vol. 5, No. 4, 2012, pp. 430-441.
  4. M. Abdlhamed, K. Kifayat, Q. Shi, and W. Hurst, “A system for intrusion prediction in cloud computing”, in Proceedings of the International Conference on Internet of Things and Cloud Computing, ser. ICC ’16, New York, NY, USA: ACM, 2016, pp. 35:1–35:9.
  5. Valerii Lakhno, Svitlana Kazmirchuk, Yulia Kovalenko, Larisa Myrutenko, and Tetyana Okhrimenko, “Design of Adaptive System of Detection of Cyber-attacks, Based on the Model of Logical Procedures and the Coverage Matrices of Features”, East European Journal of Advanced Technology, Vol 3, No. 9, June 2016, pp. 30-38
  6. Leyla Bilge, Yufei Han, and Matteo Dell’Amico, “RiskTeller: Predicting the Risk of Cyber Incidents”, Session F2: Insights from Log(in)s CCS’17, October 30-November 3, 2017: Dallas, TX, USA.
  7. Fuertes, W.; Reyes, F.; Valladares, P.; Tapia, F.; Toulkeridis, T.; Pérez, E. An Integral Model to Provide Reactive and Proactive Services in an Academic CSIRT Based on Business Intelligence. Systems 2017, 5, 52.
  8. Hassan Halawa, Matei Ripeanu, Konstantin Beznosov, Baris Coskun, and Meizhu Liu. 2017. An Early Warning System for Suspicious Accounts. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec ’17). Association for Computing Machinery, New York, NY, USA, 51–52. DOI:https://doi.org/10.1145/3128572.3140455
  9. Ahmet Okutan, Shanchieh Jay Yang, and Katie McConky, “Predicting Cyber Attacks with Bayesian Networks Using Unconventional Signals”, CISRC '17 Proceedings of the 12th Annual Conference on Cyber and Information Security Research, No. 13, 2017.
  10. D. Maimon, O. Babko-Malaya, R. Cathey and S. Hinton, "Re-thinking Online Offenders’ SKRAM: Individual Traits and Situational Motivations as Additional Risk Factors for Predicting Cyber Attacks," 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech), Orlando, FL, 2017, pp. 232-238, doi: 10.1109/DASC-PICom-DataCom-CyberSciTec.2017.50.
  11. A. Dalton, B. Dorr, L. Liang and K. Hollingshead, "Improving cyber-attack predictions through information foraging," 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, 2017, pp. 4642-4647, doi: 10.1109/BigData.2017.8258509.
  12. Abeshu and N. Chilamkurti, “Deep Learning: The Frontier for Distributed Attack Detection in Fog-to-Things Computing”, IEEE Communications Magazine, Vol. 56, No. 2, 2018, pp. 169-175.
  13. Palash Goyal, KSM Tozammel Hossain, Ashok Deb, Nazgol Tavabi, Nathan Bartley, Andres Abeliuk, Emilio Ferrara and Kristina Lerman, “Discovering Signals from Web Sources to Predict Cyber Attacks”, IEEE Systems, Vol. X, No. X, August, 2018.
  14. Husák, Martin & Koma´rkova, Jana & Bou-Harb, Elias & Celeda, Pavel. (2018). Survey of Attack Projection, Prediction, and Forecasting in Cyber Security. IEEE Communications Surveys & Tutorials. PP. 10.1109/COMST.2018.2871866.
  15. Hernandez-Suarez, Aldo & Sanchez-Perez, Gabriel & Toscano-Medina, Karina & Martinez-Hernandez, Victor & Perez-Meana, Hector & Olivares Mercado, Jesus & Sanchez, Victor. (2018). Social Sentiment Sensor in Twitter for Predicting Cyber-Attacks Using ℓ1 Regularization. Sensors. 18. 1380. 10.3390/s18051380.
  16. Allen D. Householder, Jeff Chrabaszcz, Trent Novelly, David Warren, Jonathan M. Spring, (2020), Historical Analysis of Exploit Availability Timelines, CERT/CC and Govini.

Software Exploitation, Patch Management

  1. Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., & Shostack, A. (2002, November). Timing the Application of Security Patches for Optimal Uptime. In LISA (Vol. 2, pp. 233-242).
  2. Arora, A., Telang, R., & Xu, H. (2008). Optimal policy for software vulnerability disclosure. Management Science, 54(4), 642-656.
  3. August, T., & Tunca, T. I. (2008). Let the pirates patch? an economic analysis of software security patch restrictions. Information Systems Research, 19(1), 48-70.
  4. Sam Ransbotham (2010), An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software, Ninth Workshop On The Economics Of Information Security, Boston, MA, June 2010, https://www.econinfosec.org/archive/weis2010/papers/session6/weis2010_ransbotham.pdf.
  5. August, T., & Tunca, T. I. (2011). Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Science, 57(5), 934-959.
  6. Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are markets for vulnerabilities effective?. MIS Quarterly, 43-64.
  7. Dey, D., Lahiri, A., & Zhang, G. (2015). Optimal policies for security patch management. INFORMS Journal on Computing, 27(3), 462-477.
  8. August, T., Dao, D., & Kim, K. (2019). Market segmentation and software security: Pricing patching rights. Management Science. In Press.
  9. Kenna Security and Cyentia Institute. Prioritization to prediction, volume 3. Technical report, Kenna Security, July 2019.
  10. Allodi, L., and Massacci, F, (2014). Comparing Vulnerability Severity and Exploits Using Case-Control Studies. ACM Trans. Inf. Syst. Secur. 17, 1, Article 1 (August 2014), 20 pages. DOI:https://doi.org/10.1145/2630069
  11. Allodi L. (2015) The Heavy Tails of Vulnerability Exploitation. In: Piessens F., Caballero J., Bielova N. (eds) Engineering Secure Software and Systems. ESSoS 2015. Lecture Notes in Computer Science, vol 8978. Springer, Cham. https://doi.org/10.1007/978-3-319-15618-7_11
  12. Allodi, L., Corradin, M., and Massacci, F, (2016), "Then and Now: On the Maturity of the Cybercrime Markets The Lesson That Black-Hat Marketeers Learned," in IEEE Transactions on Emerging Topics in Computing, vol. 4, no. 1, pp. 35-46, Jan.-March 2016, doi: 10.1109/TETC.2015.2397395.
  13. Allodi, L., (2017), Economic Factors of Vulnerability Trade and Exploitation. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). Association for Computing Machinery, New York, NY, USA, 1483–1499. DOI:https://doi.org/10.1145/3133956.3133960
  14. Allodi, L. and Massacci, F. (2017), Security Events and Vulnerability Data for Cybersecurity Risk Estimation. Risk Analysis, 37: 1606–1627. doi:10.1111/risa.12864
  15. Allodi, L., Massacci, F. and Williams, J. (2021), The Work‐Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures. Risk Analysis. https://doi.org/10.1111/risa.13732

Vulnerability Disclosure Policies, Timing

  1. Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management science, 51(5), 726-740.
  2. Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2007). Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Transactions on Software Engineering, 33(3), 171-185.
  3. Cavusoglu, H., H. Cavusoglu, and J. Zhang (2008). Security patch management: Share the burden or share the damage? Management Science 54(4), 657–670.
  4. Sabyasachi Mitra and Sam Ransbotham. The effects of vulnerability disclosure policy on the diffusion of security attacks. Information Systems Research, 26(3):565–584, 2015.
  5. Boechat, F., Ribas, G., Senos, L., Bicudo, M., Nogueira, M. S., de Aguiar, L. P., & Menasche, D. S. (2021). Is Vulnerability Report Confidence Redundant? Pitfalls Using Temporal Risk Scores. IEEE Security & Privacy, (01), 2-11.

Vulnerability Modeling

  1. Afsah Anwar, Ahmed Abusnaina, Songqing Chen, Frank Li, David Mohaisen, (2020) Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses, available at arXiv:2006.15074v1.
  2. Miranda, L., Vieira, D., de Aguiar, L. P., Menasche, D. S., Bicudo, M., Nogueira, M., ... & Lovat, E. (2021). On the Flow of Software Security Advisories. IEEE Transactions on Network and Service Management.
  3. R. A. Miura-Ko and N. Bambos, "SecureRank: A Risk-Based Vulnerability Management Scheme for Computing Infrastructures," 2007 IEEE International Conference on Communications, 2007, pp. 1455-1460, doi: 10.1109/ICC.2007.244.
  4. H. Chen, J. Liu, R. Liu, N. Park and V. S. Subrahmanian, “VEST: A System for Vulnerability Exploit Scoring & Timing”, Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, 2019, pp. 6503-6505, doi: 10.24963/ijcai.2019/937.
  5. H. Chen, J. Liu, R. Liu, N. Park and V. S. Subrahmanian, "VASE: A Twitter-Based Vulnerability Analysis and Score Engine," 2019 IEEE International Conference on Data Mining (ICDM), 2019, pp. 976-981, doi: 10.1109/ICDM.2019.00110.
  6. Andrey Nikonov, Alexey Vulfin, Vladimir Vasilyev, Anastasia Kirillova, Vladimir Mikhailov, "System for Estimation CVSS Severity Metrics of Vulnerability Based on Text Mining Technology", Information Technology and Nanotechnology (ITNT) 2021 International Conference, pp. 1-5, 2021.
  7. M. Walkowski, M. Krakowiak, M. Jaroszewski, J. Oko and S. Sujecki, "Automatic CVSS-based Vulnerability Prioritization and Response with Context Information," 2021 International Conference on Software, Telecommunications and Computer Networks (SoftCOM), 2021, pp. 1-6, doi: 10.23919/SoftCOM52868.2021.9559094.
  8. Walkowski, M.; Oko, J.; Sujecki, S., “Vulnerability Management Models Using a Common Vulnerability Scoring System”, Appl. Sci. 2021, 11, 8735. https://doi.org/10.3390/app11188735

Modeling Techniques and Foundations

  1. Arthur E Hoerl and Robert W Kennard. Ridge regression: Biased estimation for nonorthogonal problems. Technometrics, 12(1):55–67, 1970.
  2. Chinchor, Nancy. (1992). MUC-4 evaluation metrics. Proceedings of the Fourth Message Understanding Conference. 22-29. 10.3115/1072064.1072067.
  3. Kubat, M & Matwin, Stan. (2000). Addressing the Curse of Imbalanced Training Sets: One-Sided Selection. Fourteenth International Conference on Machine Learning.
  4. Hui Zou and Trevor Hastie. Regularization and variable selection via the elastic net. Journal of the royal statistical society: series B (statistical methodology), 67(2):301–320, 2005.
  5. Rose, Stuart & Engel, Dave & Cramer, Nick & Cowley, Wendy. (2010). Automatic Keyword Extraction from Individual Documents. Text Mining: Applications and Theory. 1 - 20. 10.1002/9780470689646.ch1.
  6. Alfredo Vellido, José David Martín-Guerrero, and Paulo JG Lisboa. Making machine learning models interpretable. In ESANN, volume 12, pages 163–172. Citeseer, 2012.
  7. Federico Cabitza, Raffaele Rasoini, and Gian Franco Gensini. Unintended consequences of machine learning in medicine. Jama, 318(6):517–518, 2017.
  8. Jonathan H Chen and StevenMAsch. Machine learning and prediction in medicine—beyond the peak of inflated expectations. The New England journal of medicine, 376(26):2507, 2017
  9. Chen, T., Guestrin, C., (2016) XGBoost: A Scalable Tree Boosting System, KDD ’16, San Francisco, CA. Available at https://arxiv.org/abs/1603.02754. Last accessed February 16, 2019.
  10. Finale Doshi-Velez and Been Kim. Towards a rigorous science of interpretable machine learning. arXiv preprint arXiv:1702.08608, 2017.