Exploit Prediction Scoring System (EPSS)

Despite the massive investments in information security technologies and research over the past decades, the information security industry is still immature. In particular, the prioritization of remediation efforts within vulnerability management programs predominantly relies on a mixture of subjective expert opinion, severity scores, and incomplete data. Compounding the need for prioritization is the increase in the number of vulnerabilities the average enterprise has to remediate. This paper produces the first open, data-driven framework for assessing vulnerability threat, that is, the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. This scoring system has been designed to be simple enough to be implemented by practitioners without specialized tools or software, yet provides accurate estimates of exploitation. Moreover, the implementation is flexible enough that it can be updated as more, and better, data becomes available. We call this system the Exploit Prediction Scoring System, EPSS.

[1]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[2]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2013, TSEC.

[3]  Tudor Dumitras,et al.  Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits , 2015, USENIX Security Symposium.

[4]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[5]  Wei Wu,et al.  KEPLER: Facilitating Control-flow Hijacking Primitive Evaluation for Linux Kernel Vulnerabilities , 2019, USENIX Security Symposium.

[6]  Guoying Zhang,et al.  Optimal Policies for Security Patch Management , 2015, INFORMS J. Comput..

[7]  Joseph P. Simmons,et al.  Overcoming Algorithm Aversion: People Will Use Imperfect Algorithms If They Can (Even Slightly) Modify Them , 2016, Manag. Sci..

[8]  H. Zou,et al.  Regularization and variable selection via the elastic net , 2005 .

[9]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[10]  Trent Jaeger,et al.  Block Oriented Programming: Automating Data-Only Attacks , 2018, CCS.

[11]  Wei Wu,et al.  FUZE: Towards Facilitating Exploit Generation for Kernel Use-After-Free Vulnerabilities , 2018, USENIX Security Symposium.

[12]  Jay Teachman,et al.  Logistic Regression: Description, Examples, and Comparisons. , 1988 .

[13]  David Brumley,et al.  Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[14]  Berkeley J. Dietvorst,et al.  Algorithm Aversion: People Erroneously Avoid Algorithms after Seeing Them Err , 2014, Journal of experimental psychology. General.

[15]  Mark Schmidt A Note on Structural Extensions of SVMs , 2009 .

[16]  Tudor Dumitras,et al.  From Patching Delays to Infection Symptoms: Using Risk Profiles for an Early Discovery of Vulnerabilities Exploited in the Wild , 2018, USENIX Security Symposium.

[17]  H. Zou,et al.  Addendum: Regularization and variable selection via the elastic net , 2005 .

[18]  F. Cabitza,et al.  Unintended Consequences of Machine Learning in Medicine , 2017, JAMA.

[19]  Been Kim,et al.  Towards A Rigorous Science of Interpretable Machine Learning , 2017, 1702.08608.

[20]  Nick Cramer,et al.  Automatic Keyword Extraction from Individual Documents , 2010 .

[21]  David Brumley,et al.  Automatic exploit generation , 2014, CACM.

[22]  George Athanasopoulos,et al.  Forecasting: principles and practice , 2013 .

[23]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[24]  Arthur E. Hoerl,et al.  Ridge Regression: Biased Estimation for Nonorthogonal Problems , 2000, Technometrics.

[25]  E. W. Adams,et al.  Models of Man, Social and Rational: Mathematical Essays on Rational Human Behavior in a Social Setting , 1962 .

[26]  Sam Ransbotham,et al.  THE EFFECTS OF VULNERABILITY DISCLOSURE POLICY ON THE DIFFUSION OF SECURITY ATTACKS , 2012 .

[27]  Paulo J. G. Lisboa,et al.  Making machine learning models interpretable , 2012, ESANN.

[28]  Noah Gans,et al.  Estimating the Operational Impact of Container Inspections at International Ports , 2010, Manag. Sci..

[29]  Jun Sakuma,et al.  Fairness-Aware Classifier with Prejudice Remover Regularizer , 2012, ECML/PKDD.

[30]  Jonathan H. Chen,et al.  Machine Learning and Prediction in Medicine - Beyond the Peak of Inflated Expectations. , 2017, The New England journal of medicine.

[31]  Alan Said,et al.  Predicting Cyber Vulnerability Exploits with Machine Learning , 2015, Scandinavian Conference on AI.

[32]  Sam Ransbotham,et al.  Information Disclosure and the Diffusion of Information Security Attacks , 2015, Inf. Syst. Res..

[33]  Sasha Romanosky,et al.  Improving vulnerability remediation through better exploit prediction , 2020, J. Cybersecur..

[34]  G. Schwarz Estimating the Dimension of a Model , 1978 .

[35]  Paul D. Allison,et al.  Convergence Failures in Logistic Regression , 2008 .

[36]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[37]  Paulo Shakarian,et al.  Proactive identification of exploits in the wild through vulnerability mentions online , 2017, 2017 International Conference on Cyber Conflict (CyCon U.S.).