Vulnerability management requires prioritizing which vulnerabilities to patch, since only a small fraction are ever exploited, and writing, testing, and installing patches can involve considerable resources, requiring companies to prioritize based on some notion of risk. Traditional severity scores, such as the Common Vulnerability Scoring System are often poor predictors of exploitation risk. Data-driven scores, such as the Exploit Prediction Scoring System, provide probabilities of exploitation, but still leave room for improvements. We propose a lightweight hybrid model using a Generalized Additive Model (GAM) that combines numeric features (CVSS base score, EPSS probability, age, reference count) with semantic text features (derived from the vulnerability description via Term Frequency–Inverse Document Frequency and Singular Value Decomposition). The GAM framework yields an interpretable, additive risk score without black-box explanations. On a 2023 training set (with labels from CISA’s KEV and public exploits), our model achieves significantly better precision-recall tradeoff than CVSS or EPSS alone. Tested on 2024 disclosures, our presented model consistently outperforms the baselines at nearly all recall levels.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A Hybrid GAM-Based Model for Predicting Vulnerability Exploitation

  • Noufal Issa,
  • Damas Gruska,
  • Loubna Ali

摘要

Vulnerability management requires prioritizing which vulnerabilities to patch, since only a small fraction are ever exploited, and writing, testing, and installing patches can involve considerable resources, requiring companies to prioritize based on some notion of risk. Traditional severity scores, such as the Common Vulnerability Scoring System are often poor predictors of exploitation risk. Data-driven scores, such as the Exploit Prediction Scoring System, provide probabilities of exploitation, but still leave room for improvements. We propose a lightweight hybrid model using a Generalized Additive Model (GAM) that combines numeric features (CVSS base score, EPSS probability, age, reference count) with semantic text features (derived from the vulnerability description via Term Frequency–Inverse Document Frequency and Singular Value Decomposition). The GAM framework yields an interpretable, additive risk score without black-box explanations. On a 2023 training set (with labels from CISA’s KEV and public exploits), our model achieves significantly better precision-recall tradeoff than CVSS or EPSS alone. Tested on 2024 disclosures, our presented model consistently outperforms the baselines at nearly all recall levels.