CINXE.COM
The EPSS Model
<!doctype html><html lang="en" class="web tlp-clear" data-studio-config="eyJ4aHJDcmVkZW50aWFscyI6ZmFsc2UsInhockhlYWRlcnMiOnt9fQo="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>The EPSS Model</title> <meta property="og:title" content="The EPSS Model" /> <meta property="og:type" content="website" /> <meta property="og:image" content="https://www.first.org/_/img/first-big-icon.png" /> <meta property="og:url" content="https://www.first.org/epss/papers" /> <meta property="og:site_name" content="FIRST — Forum of Incident Response and Security Teams" /> <meta property="fb:profile_id" content="296983660669109" /> <meta property="twitter:card" content="summary" /> <meta property="twitter:site" content="@FIRSTdotOrg" /><meta name="viewport" content="initial-scale=1,maximum-scale=1.0,user-scalable=no" /><link rel="icon" type="image/png" href="/1st.png" /><link rel="apple-touch-icon" sizes="128x128" href="/favicon.png" /><link rel="stylesheet" type="text/css" href="/_/web.css?20250110194732" /></head><body><header><div id="header" data-studio="CU52CV1W8g"><div id="c3" data-studio="Yu8FjCC11g"><div id="topbar"> <div class="sites right"> <ul> <li><a href="https://support.first.org" class="kb-datalist"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a></li> <li><a href="https://portal.first.org" class="button"><span class="no-tiny">Member </span>Portal</a></li> </ul> </div> <div class="first-logo"> <p><a href="/"><img src="/_/img/first-org-simple-negative.svg" alt="FIRST.Org" title="FIRST" /></a></p> </div> <div class="nav"> <ul class="navbar"><li><a href="/about">About FIRST</a><ul><li><a href="/about/mission">Mission Statement</a></li><li><a href="/about/history">History</a></li><li><a href="/about/sdg">Sustainable Development Goals</a></li><li><a href="/about/organization">Organization</a><ul><li><a href="/about/organization/directors">Board of Directors</a></li><li><a>Operations Team</a><ul><li><a href="/about/organization/ccb">Community & Capacity Building</a></li><li><a href="/about/organization/events">Event Office</a></li><li><a href="/about/organization/executive-director">Executive Director</a></li><li><a href="/about/organization/infrastructure">Infrastructure</a></li><li><a href="/about/organization/secretariat">Secretariat</a></li></ul></li><li><a href="/about/organization/committees">Committees</a><ul><li><a href="/about/organization/committees/compensation-committee">Compensation Committee</a></li><li><a href="/about/organization/committees/conference-program-committee">Conference Program Committee</a></li><li><a href="/about/organization/committees/membership-committee">Membership Committee</a></li><li><a href="/about/organization/committees/rules-committee">Rules Committee</a></li><li><a href="/about/organization/committees/standards">Standards Committee</a></li></ul></li><li><a href="/events/agm">Annual General Meeting</a></li><li><a href="/about/organization/reports">Annual Reports and Tax Filings</a></li></ul></li><li><a href="/about/policies">FIRST Policies</a><ul><li><a href="/about/policies/anti-corruption">Anti-Corruption Policy</a></li><li><a href="/about/policies/antitrust">Antitrust Policy</a></li><li><a href="/about/policies/bylaws">Bylaws</a></li><li><a href="/about/policies/board-duties">Board duties</a></li><li><a href="/about/bugs">Bug Bounty Program</a></li><li><a href="/about/policies/code-of-conduct">Code of Conduct</a></li><li><a href="/about/policies/conflict-policy">Conflict of Interest Policy</a></li><li><a href="/about/policies/doc-rec-retention-policy">Document Record Retention and Destruction Policy</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li><li><a href="/about/policies/gen-event-reg-refund-policy">General Event Registration Refund Policy</a></li><li><a href="/about/policies/event-site-selection">Guidelines for Site Selection for all FIRST events</a></li><li><a href="/identity">Identity & Logo Usage</a></li><li><a href="/about/policies/mailing-list">Mailing List Policy</a></li><li><a href="/about/policies/media">Media Policy</a></li><li><a href="/about/policies/privacy">Privacy Policy</a></li><li><a href="/about/policies/registration-terms-conditions">Registration Terms & Conditions</a></li><li><a href="/about/policies/terms">Services Terms of Use</a></li><li><a href="/about/policies/standards">Standards Policy</a></li><li><a href="/about/policies/diversity">Statement on Diversity & Inclusion</a></li><li><a href="/about/policies/translation-policy">Translation Policy</a></li><li><a href="/about/policies/travel-policy">Travel Policy</a></li><li><a href="/about/policies/uniform-ipr">Uniform IPR Policy</a></li><li><a href="/about/policies/whistleblower-policy">Whistleblower Protection Policy</a></li></ul></li><li><a href="/about/partners">Partnerships</a><ul><li><a href="/global/partners">Partners</a></li><li><a href="/global/friends">Friends of FIRST</a></li><li><a href="/global/supporters/">FIRST Supporters</a></li><li><a href="/about/sponsors">FIRST Sponsors</a></li></ul></li><li><a href="/newsroom">Newsroom</a><ul><li><a href="/newsroom/news">What's New</a></li><li><a href="/newsroom/releases">Press Releases</a></li><li><a href="/newsroom/news/media">In the News</a></li><li><a href="/podcasts">Podcasts</a><ul><li><a href="/newsroom/news/first-impressions/">FIRST Impressions Podcast</a></li><li><a href="/newsroom/news/podcasts/">FIRSTCON Podcast</a></li></ul></li><li><a href="/newsroom/newsletters">Newsletters</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li></ul></li><li><a href="/about/procurement">Procurement</a></li><li><a href="/about/jobs/">Jobs</a></li><li><a href="/contact">Contact</a></li></ul></li><li><a href="/members">Membership</a><ul><li><a href="/membership/">Becoming a Member</a><ul><li><a href="/membership/process">Membership Process for Teams</a></li><li><a href="/membership/process-associates">Membership Process for Associates</a></li><li><a href="/membership/process-liaisons">Membership Process for Liaisons</a></li><li><a href="/membership/#Fees">Membership Fees</a></li></ul></li><li><a href="/members/teams">FIRST Teams</a></li><li><a href="/members/liaisons">FIRST Liaisons</a></li><li><a href="/members/map">Members around the world</a></li></ul></li><li><a href="/global">Initiatives</a><ul><li><a href="/global/sigs">Special Interest Groups (SIGs)</a><ul><li><a href="/global/sigs/framework">SIGs Framework</a></li><li><a href="/global/sigs/academicsec" class="borderb">Academic Security SIG</a></li><li><a href="/global/sigs/ai-security">AI Security SIG</a></li><li><a href="/global/sigs/automation">Automation SIG</a></li><li><a href="/global/sigs/bigdata">Big Data SIG</a></li><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a><ul><li><a href="/cvss/calculator/4.0">Calculator</a></li><li><a href="/cvss/v4.0/specification-document">Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">User Guide</a></li><li><a href="/cvss/v4.0/examples">Examples</a></li><li><a href="/cvss/v4.0/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v4-0">CVSS v4.0 Documentation & Resources</a><ul><li><a href="/cvss/calculator/4.0">CVSS v4.0 Calculator</a></li><li><a href="/cvss/v4.0/specification-document">CVSS v4.0 Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">CVSS v4.0 User Guide</a></li><li><a href="/cvss/v4.0/examples">CVSS v4.0 Examples</a></li><li><a href="/cvss/v4.0/faq">CVSS v4.0 FAQ</a></li></ul></li><li><a href="/cvss/v3-1">CVSS v3.1 Archive</a><ul><li><a href="/cvss/calculator/3.1">CVSS v3.1 Calculator</a></li><li><a href="/cvss/v3.1/specification-document">CVSS v3.1 Specification Document</a></li><li><a href="/cvss/v3.1/user-guide">CVSS v3.1 User Guide</a></li><li><a href="/cvss/v3.1/examples">CVSS v3.1 Examples</a></li><li><a href="/cvss/v3.1/use-design">CVSS v3.1 Calculator Use & Design</a></li></ul></li><li><a href="/cvss/v3-0">CVSS v3.0 Archive</a><ul><li><a href="/cvss/calculator/3.0">CVSS v3.0 Calculator</a></li><li><a href="/cvss/v3.0/specification-document">CVSS v3.0 Specification Document</a></li><li><a href="/cvss/v3.0/user-guide">CVSS v3.0 User Guide</a></li><li><a href="/cvss/v3.0/examples">CVSS v3.0 Examples</a></li><li><a href="/cvss/v3.0/use-design">CVSS v3.0 Calculator Use & Design</a></li></ul></li><li><a href="/cvss/v2">CVSS v2 Archive</a><ul><li><a href="/cvss/v2/guide">CVSS v2 Complete Documentation</a></li><li><a href="/cvss/v2/history">CVSS v2 History</a></li><li><a href="/cvss/v2/team">CVSS-SIG team</a></li><li><a href="/cvss/v2/meetings">SIG Meetings</a></li><li><a href="/cvss/v2/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v2/adopters">CVSS Adopters</a></li><li><a href="/cvss/v2/links">CVSS Links</a></li></ul></li><li><a href="/cvss/v1">CVSS v1 Archive</a><ul><li><a href="/cvss/v1/intro">Introduction to CVSS</a></li><li><a href="/cvss/v1/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v1/guide">Complete CVSS v1 Guide</a></li></ul></li><li><a href="/cvss/data-representations">JSON & XML Data Representations</a></li><li><a href="/cvss/training">CVSS On-Line Training Course</a></li><li><a href="/cvss/identity">Identity & logo usage</a></li></ul></li><li><a href="/global/sigs/csirt">CSIRT Framework Development SIG</a></li><li><a href="/global/sigs/cyberinsurance">Cyber Insurance SIG</a><ul><li><a href="/global/sigs/cyberinsurance/events">Cyber Insurance SIG Webinars</a></li></ul></li><li><a href="/global/sigs/cti">Cyber Threat Intelligence SIG</a><ul><li><a href="/global/sigs/cti/curriculum/">Curriculum</a><ul><li><a href="/global/sigs/cti/curriculum/introduction">Introduction</a></li><li><a href="/global/sigs/cti/curriculum/cti-introduction">Introduction to CTI as a General topic</a></li><li><a href="/global/sigs/cti/curriculum/methods-methodology">Methods and Methodology</a></li><li><a href="/global/sigs/cti/curriculum/pir">Priority Intelligence Requirement (PIR)</a></li><li><a href="/global/sigs/cti/curriculum/source-evaluation">Source Evaluation and Information Reliability</a></li><li><a href="/global/sigs/cti/curriculum/machine-human">Machine and Human Analysis Techniques (and Intelligence Cycle)</a></li><li><a href="/global/sigs/cti/curriculum/threat-modelling">Threat Modelling</a></li><li><a href="/global/sigs/cti/curriculum/training">Training</a></li><li><a href="/global/sigs/cti/curriculum/standards">Standards</a></li><li><a href="/global/sigs/cti/curriculum/glossary">Glossary</a></li><li><a href="/global/sigs/cti/curriculum/cti-reporting/">Communicating Uncertainties in CTI Reporting</a></li></ul></li><li><a href="/global/sigs/cti/events/">Webinars and Online Training</a></li><li><a href="/global/sigs/cti/cti-program">Building a CTI program and team</a><ul><li><a href="/global/sigs/cti/cti-program/program-stages">Program maturity stages</a><ul><li><a href="/global/sigs/cti/cti-program/stage1">CTI Maturity model - Stage 1</a></li><li><a href="/global/sigs/cti/cti-program/stage2">CTI Maturity model - Stage 2</a></li><li><a href="/global/sigs/cti/cti-program/stage3">CTI Maturity model - Stage 3</a></li></ul></li><li><a href="/global/sigs/cti/cti-program/starter-kit">Program Starter Kit</a></li><li><a href="/global/sigs/cti/cti-program/resources">Resources and supporting materials</a></li></ul></li></ul></li><li><a href="/global/sigs/digital-safety">Digital Safety SIG</a></li><li><a href="/global/sigs/dns">DNS Abuse SIG</a><ul><li><a href="/global/sigs/dns/stakeholder-advice/">Stakeholder Advice</a><ul><li><a>Detection</a><ul><li><a href="/global/sigs/dns/stakeholder-advice/detection/cache-poisoning">Cache Poisoning</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dga">DGA Domains</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dns-as-a-vector-for-dos">DNS As a Vector for DoS</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dns-rebinding">DNS Rebinding</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dns-server-compromise">DNS Server Compromise</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dos-against-the-dns">DoS Against the DNS</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/domain-name-compromise">Domain Name Compromise</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/lame-delegations">Lame Delegations</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/local-resolver-hijacking">Local Resolver Hijacking</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/on-path-dns-attack">On-path DNS Attack</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/stub-resolver-hijacking">Stub Resolver Hijacking</a></li></ul></li></ul></li><li><a href="/global/sigs/dns/policies">Code of Conduct & Other Policies</a></li><li><a href="/global/sigs/dns/dns-abuse-examples">Examples of DNS Abuse</a></li></ul></li><li><a href="/global/sigs/ethics">Ethics SIG</a><ul><li><a href="/global/sigs/ethics/ethics-first">Ethics for Incident Response Teams</a></li></ul></li><li><a href="/epss/">Exploit Prediction Scoring System (EPSS)</a><ul><li><a href="/epss/model">The EPSS Model</a></li><li><a href="/epss/data_stats">Data and Statistics</a></li><li><a href="/epss/user-guide">User Guide</a></li><li><a href="/epss/research">EPSS Research and Presentations</a></li><li><a href="/epss/faq">Frequently Asked Questions</a></li><li><a href="/epss/who_is_using">Who is using EPSS?</a></li><li><a href="/epss/epss_tools">Open-source EPSS Tools</a></li><li><a href="/epss/api">API</a></li><li><a href="/epss/papers">Related Exploit Research</a></li><li><a>Blog</a><ul><li><a href="/epss/articles/prob_percentile_bins">Understanding EPSS Probabilities and Percentiles</a></li><li><a href="/epss/articles/log4shell">Log4Shell Use Case</a></li><li><a href="/epss/articles/estimating_old_cvss">Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities</a></li></ul></li><li><a href="/epss/partners">Data Partners</a></li></ul></li><li><a href="/global/sigs/msr/">FIRST Multi-Stakeholder Ransomware SIG</a></li><li><a href="/global/sigs/hfs/">Human Factors in Security SIG</a></li><li><a href="/global/sigs/ics">Industrial Control Systems SIG (ICS-SIG)</a></li><li><a href="/global/sigs/iep">Information Exchange Policy SIG (IEP-SIG)</a></li><li><a href="/global/sigs/information-sharing">Information Sharing SIG</a><ul><li><a href="/global/sigs/information-sharing/misp">Malware Information Sharing Platform</a></li></ul></li><li><a href="/global/sigs/le">Law Enforcement SIG</a></li><li><a href="/global/sigs/malware">Malware Analysis SIG</a><ul><li><a href="/global/sigs/malware/ma-framework">Malware Analysis Framework</a></li><li><a href="/global/sigs/malware/ma-framework/malwaretools">Malware Analysis Tools</a></li></ul></li><li><a href="/global/sigs/metrics">Metrics SIG</a><ul><li><a href="/global/sigs/metrics/events">Metrics SIG Webinars</a></li></ul></li><li><a href="/global/sigs/netsec/">NETSEC SIG</a></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/global/sigs/policy">Policy SIG</a></li><li><a href="/global/sigs/psirt">PSIRT SIG</a></li><li><a href="/global/sigs/red-team">Red Team SIG</a></li><li><a href="/global/sigs/cpg">Retail and Consumer Packaged Goods (CPG) SIG</a></li><li><a href="/global/sigs/ctf">Security Lounge SIG</a></li><li><a href="/global/sigs/tic/">Threat Intel Coalition SIG</a><ul><li><a href="/global/sigs/tic/membership-rules">Membership Requirements and Veto Rules</a></li></ul></li><li><a href="/global/sigs/tlp">Traffic Light Protocol (TLP-SIG)</a></li><li><a href="/global/sigs/transport">Transportation and Mobility SIG</a></li><li><a href="/global/sigs/vulnerability-coordination">Vulnerability Coordination</a><ul><li><a href="/global/sigs/vulnerability-coordination/multiparty">Multi-Party Vulnerability Coordination and Disclosure</a></li><li><a href="/global/sigs/vulnerability-coordination/multiparty/guidelines">Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure</a></li></ul></li><li><a href="/global/sigs/vrdx">Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)</a><ul><li><a href="/global/sigs/vrdx/vdb-catalog">Vulnerability Database Catalog</a></li></ul></li><li><a href="/global/sigs/wof">Women of FIRST</a></li></ul></li><li><a href="/global/governance">Internet Governance</a></li><li><a href="/global/irt-database">IR Database</a></li><li><a href="/global/fellowship">Fellowship Program</a><ul><li><a href="https://portal.first.org/fellowship">Application Form</a></li></ul></li><li><a href="/global/mentorship">Mentorship Program</a></li><li><a href="/hof">IR Hall of Fame</a><ul><li><a href="/hof/inductees">Hall of Fame Inductees</a></li></ul></li><li><a href="/global/victim-notification">Victim Notification</a></li><li><a href="/volunteers/">Volunteers at FIRST</a><ul><li><a href="/volunteers/list">FIRST Volunteers</a></li><li><a href="/volunteers/participation">Volunteer Contribution Record</a></li></ul></li><li><a href="#new">Previous Activities</a><ul><li><a href="/global/practices">Best Practices Contest</a></li></ul></li></ul></li><li><a href="/standards">Standards & Publications</a><ul><li><a href="/standards">Standards</a><ul><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a></li><li><a href="/tlp">Traffic Light Protocol (TLP)</a><ul><li><a href="/tlp/use-cases">TLP Use Cases</a></li></ul></li><li><a href="/standards/frameworks/">Service Frameworks</a><ul><li><a href="/standards/frameworks/csirts">CSIRT Services Framework</a></li><li><a href="/standards/frameworks/psirts">PSIRT Services Framework</a></li></ul></li><li><a href="/iep">Information Exchange Policy (IEP)</a><ul><li><a href="/iep/iep_framework_2_0">IEP 2.0 Framework</a></li><li><a href="/iep/iep-json-2_0">IEP 2.0 JSON Specification</a></li><li><a href="/iep/iep-polices">Standard IEP Policies</a><ul><li><a href="https://www.first.org/iep/2.0/first-tlp-iep.iepj">IEP TLP Policy File</a></li><li><a href="https://www.first.org/iep/2.0/first-unknown-iep.iepj">IEP Unknown Policy File</a></li></ul></li><li><a href="/iep/iep_v1_0">IEP 1.0 Archive</a></li></ul></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/epss">Exploit Prediction Scoring System (EPSS)</a></li></ul></li><li><a href="/resources/papers">Publications</a></li></ul></li><li><a href="/events">Events</a></li><li><a href="/education">Education</a><ul><li><a href="/education/first-training">FIRST Training</a><ul><li><a href="/education/trainings">Training Courses</a></li><li><a href="/education/trainers">FIRST Trainers</a></li></ul></li></ul></li><li><a href="/blog">Blog</a></li></ul> </div> </div> <div id="home-buttons"> <p><a href="/join" data-title="Join"><img alt="Join" src="/_/img/icon-join.svg"><span class="tt-join">Join<span>Details about FIRST membership and joining as a full member or liaison.</span></span></a> <a href="/learn" data-title="Learn"><img alt="Learn" src="/_/img/icon-learn.svg"><span class="tt-learn">Learn<span>Training and workshop opportunities, and details about the FIRST learning platform.</span></span></a> <a href="/participate" data-title="Participate"><img alt="Participate" src="/_/img/icon-participate.svg"><span class="tt-participate">Participate<span>Read about upcoming events, SIGs, and know what is going on.</span></span></a></p> </div></div></div></header><div id="body" data-studio="CU52CV1W8g"><div id="c1" data-studio="Yu8FjCC11g" class="toc-h2 toc-h3 image-center p"><h1 id="Related-Literature">Related Literature</h1> <p>Below are some papers related to several categories of EPSS:</p> <ul> <li>Vulnerability Exploit Prediction</li> <li>Attack Prediction</li> <li>Software Exploitation and Patch Management</li> <li>Vulnerability Disclosure Policies, Timing</li> <li>Vulnerability Modeling</li> <li>Modeling Techniqes and Foundations </li> </ul> <p>If you know of a paper that is missing from our list, feel free to send us the full citation and link at epss-chairs at first.org</p> <h2 id="Vulnerability-Exploit-Prediction">Vulnerability Exploit Prediction</h2> <ol> <li>Bozorgi, Mehran, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker, (2010) Beyond Heuristics: Learning to Classify Vulnerabilities and Predict Exploits. Available at <a href="http://cseweb.ucsd.edu/~saul/papers/kdd10_exploit.pdf">http://cseweb.ucsd.edu/~saul/papers/kdd10_exploit.pdf</a>.</li> <li>Michel Edkrantz and Alan Said. Predicting cyber vulnerability exploits with machine learning. In SCAI, pages 48–57, 2015.</li> <li>Carl Sabottke, Octavian Suciu, and Tudor Dumitras, Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits. In 24th USENIX Security Symposium (USENIX Security 15), pages 1041–1056, 2015.</li> <li>Mohammed Almukaynizi, Eric Nunes, Krishna Dharaiya, Manoj Senguttuvan, Jana Shakarian, and Paulo Shakarian. Proactive identification of exploits in the wild through vulnerability mentions online. In 2017 International Conference on Cyber Conflict (CyCon US), pages 82–88. IEEE, 2017.</li> <li>Benjamin L. Bullough, Anna K. Yanchenko, Christopher L. Smith, and Joseph R. Zipkin. 2017. Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data. In Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics (IWSPA '17). Association for Computing Machinery, New York, NY, USA, 45–53. <a href="https://doi.org/10.1145/3041008.3041009a">https://doi.org/10.1145/3041008.3041009a</a></li> <li>Reinthal, A., Filippakis, E.L., Almgren, M. (2018). Data Modelling for Predicting Exploits. In: Gruschka, N. (eds) Secure IT Systems. NordSec 2018. Lecture Notes in Computer Science(), vol 11252. Springer, Cham. <a href="https://doi.org/10.1007/978-3-030-03638-6_21">https://doi.org/10.1007/978-3-030-03638-6_21</a></li> <li>Haipeng Chen, Rui Liu, Noseong Park, and V.S. Subrahmanian. 2019. Using Twitter to Predict When Vulnerabilities will be Exploited. In Proceedings of the 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining (KDD '19). Association for Computing Machinery, New York, NY, USA, 3143–3152. <a href="https://doi.org/10.1145/3292500.3330742">https://doi.org/10.1145/3292500.3330742</a></li> <li>Nazgol Tavabi, Palash Goyal, Mohammed Almukaynizi, Paulo Shakarian, and Kristina Lerman. 2018. Darkembed: Exploit prediction with neural language models. In AAAI Conference on Innovative Applications of Artificial Intelligence (IAAI).</li> <li>Chaowei Xiao, Armin Sarabi, Yang Liu, Bo Li, Mingyan Liu, and Tudor Dumitras. 2018. From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild. In 27th {USENIX} Security Symposium ({USENIX} Security’18). 903–918.</li> <li>Kenneth Alperin, Allan Wollaber, Dennis Ross, Pierre Trepagnier, and Leslie Leonard. 2019. Risk Prioritization by Leveraging Latent Vulnerability Features in a Contested Environment. In Proceedings of the 12th ACM Workshop on Artificial Intelligence and Security (AISec'19). Association for Computing Machinery, New York, NY, USA, 49–57. <a href="https://doi.org/10.1145/3338501.3357365">https://doi.org/10.1145/3338501.3357365</a></li> <li>Fang Y, Liu Y, Huang C, Liu L. FastEmbed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm. PLoS One. 2020 Feb 6;15(2):e0228439. doi: 10.1371/journal.pone.0228439. PMID: 32027693; PMCID: PMC7004314.</li> <li>Hoque, Mohammad Shamsul, Norziana Jamil, Nowshad Amin and Kwok-Yan Lam. “An Improved Vulnerability Exploitation Prediction Model with Novel Cost Function and Custom Trained Word Vector Embedding.” Sensors (Basel, Switzerland) 21 (2021): n. Pag.</li> <li>Bhatt, N, Anand, A, Yadavalli, VSS. Exploitability prediction of software vulnerabilities. Qual Reliab Engng Int. 2021; 37: 648– 663. <a href="https://doi.org/10.1002/qre.2754">https://doi.org/10.1002/qre.2754</a></li> </ol> <h2 id="Attack-Prediction">Attack Prediction</h2> <ol> <li>S. Mathew, D. Britt, R. Giomundo, S. Upadhyaya, M. Sudit and A. Stotz, "Real-time multistage attack awareness through enhanced intrusion alert clustering," MILCOM 2005 - 2005 IEEE Military Communications Conference, Atlantic City, NJ, 2005, pp. 1801-1806 Vol. 3, doi: 10.1109/MILCOM.2005.1605934.</li> <li>D. S. Fava, S. R. Byers and S. J. Yang, "Projecting Cyberattacks Through Variable-Length Markov Models," in IEEE Transactions on Information Forensics and Security, vol. 3, no. 3, pp. 359-369, Sept. 2008, doi: 10.1109/TIFS.2008.924605.</li> <li>Paul A. Watters, Stephen McCombie, Robert Layton, Josef Pieprzyk, <a href="https://www.emerald.com/insight/content/doi/10.1108/13685201211266015/full/html">“Characterising and Predicting Cyberattacks Using the Cyber Attacker Model Profile (CAMP),”</a> <em>Journal of Money Laundering Control</em>, Vol. 5, No. 4, 2012, pp. 430-441.</li> <li>M. Abdlhamed, K. Kifayat, Q. Shi, and W. Hurst, <a href="https://dl.acm.org/doi/pdf/10.1145/2896387.2896420">“A system for intrusion prediction in cloud computing”</a>, in Proceedings of the International Conference on Internet of Things and Cloud Computing, ser. ICC ’16, New York, NY, USA: ACM, 2016, pp. 35:1–35:9.</li> <li>Valerii Lakhno, Svitlana Kazmirchuk, Yulia Kovalenko, Larisa Myrutenko, and Tetyana Okhrimenko, <a href="http://www.irbis-nbuv.gov.ua/cgi-bin/irbis_nbuv/cgiirbis_64.exe?C21COM=2&I21DBN=UJRN&P21DBN=UJRN&IMAGE_FILE_DOWNLOAD=1&Image_file_name=PDF/Vejpte_2016_3(9)__6.pdf">“Design of Adaptive System of Detection of Cyber-attacks, Based on the Model of Logical Procedures and the Coverage Matrices of Features”</a>, <em>East European Journal of Advanced Technology</em>, Vol 3, No. 9, June 2016, pp. 30-38</li> <li>Leyla Bilge, Yufei Han, and Matteo Dell’Amico, <a href="https://dl.acm.org/doi/pdf/10.1145/3133956.3134022">“RiskTeller: Predicting the Risk of Cyber Incidents”</a>, <em>Session F2: Insights from Log(in)s CCS’17</em>, October 30-November 3, 2017: Dallas, TX, USA.</li> <li>Fuertes, W.; Reyes, F.; Valladares, P.; Tapia, F.; Toulkeridis, T.; Pérez, E. An Integral Model to Provide Reactive and Proactive Services in an Academic CSIRT Based on Business Intelligence. Systems 2017, 5, 52.</li> <li>Hassan Halawa, Matei Ripeanu, Konstantin Beznosov, Baris Coskun, and Meizhu Liu. 2017. An Early Warning System for Suspicious Accounts. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec ’17). Association for Computing Machinery, New York, NY, USA, 51–52. DOI:<a href="https://doi.org/10.1145/3128572.3140455">https://doi.org/10.1145/3128572.3140455</a></li> <li>Ahmet Okutan, Shanchieh Jay Yang, and Katie McConky, <a href="https://dl.acm.org/doi/pdf/10.1145/3064814.3064823">“Predicting Cyber Attacks with Bayesian Networks Using Unconventional Signals”</a>, <em>CISRC '17 Proceedings of the 12th Annual Conference on Cyber and Information Security Research</em>, No. 13, 2017.</li> <li>D. Maimon, O. Babko-Malaya, R. Cathey and S. Hinton, "Re-thinking Online Offenders’ SKRAM: Individual Traits and Situational Motivations as Additional Risk Factors for Predicting Cyber Attacks," 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech), Orlando, FL, 2017, pp. 232-238, doi: 10.1109/DASC-PICom-DataCom-CyberSciTec.2017.50.</li> <li>A. Dalton, B. Dorr, L. Liang and K. Hollingshead, "Improving cyber-attack predictions through information foraging," 2017 IEEE International Conference on Big Data (Big Data), Boston, MA, 2017, pp. 4642-4647, doi: 10.1109/BigData.2017.8258509.</li> <li>Abeshu and N. Chilamkurti, <a href="https://ieeexplore.ieee.org/abstract/document/8291134">“Deep Learning: The Frontier for Distributed Attack Detection in Fog-to-Things Computing”</a>, <em>IEEE Communications Magazine</em>, Vol. 56, No. 2, 2018, pp. 169-175.</li> <li>Palash Goyal<em>, KSM Tozammel Hossain</em>, Ashok Deb, Nazgol Tavabi, Nathan Bartley, Andres Abeliuk, Emilio Ferrara and Kristina Lerman, <a href="https://arxiv.org/pdf/1806.03342.pdf">“Discovering Signals from Web Sources to Predict Cyber Attacks”</a>, <em>IEEE Systems</em>, Vol. X, No. X, August, 2018.</li> <li>Husák, Martin & Koma´rkova, Jana & Bou-Harb, Elias & Celeda, Pavel. (2018). Survey of Attack Projection, Prediction, and Forecasting in Cyber Security. IEEE Communications Surveys & Tutorials. PP. 10.1109/COMST.2018.2871866. </li> <li>Hernandez-Suarez, Aldo & Sanchez-Perez, Gabriel & Toscano-Medina, Karina & Martinez-Hernandez, Victor & Perez-Meana, Hector & Olivares Mercado, Jesus & Sanchez, Victor. (2018). Social Sentiment Sensor in Twitter for Predicting Cyber-Attacks Using ℓ1 Regularization. Sensors. 18. 1380. 10.3390/s18051380. </li> <li>Allen D. Householder, Jeff Chrabaszcz, Trent Novelly, David Warren, Jonathan M. Spring, (2020), Historical Analysis of Exploit Availability Timelines, CERT/CC and Govini. </li> </ol> <h2 id="Software-Exploitation-Patch-Management">Software Exploitation, Patch Management</h2> <ol> <li>Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., & Shostack, A. (2002, November). Timing the Application of Security Patches for Optimal Uptime. In LISA (Vol. 2, pp. 233-242).</li> <li>Arora, A., Telang, R., & Xu, H. (2008). Optimal policy for software vulnerability disclosure. Management Science, 54(4), 642-656.</li> <li>August, T., & Tunca, T. I. (2008). Let the pirates patch? an economic analysis of software security patch restrictions. Information Systems Research, 19(1), 48-70.</li> <li>Sam Ransbotham (2010), An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software, Ninth Workshop On The Economics Of Information Security, Boston, MA, June 2010, <a href="https://www.econinfosec.org/archive/weis2010/papers/session6/weis2010_ransbotham.pdf">https://www.econinfosec.org/archive/weis2010/papers/session6/weis2010_ransbotham.pdf</a>.</li> <li>August, T., & Tunca, T. I. (2011). Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Science, 57(5), 934-959.</li> <li>Ransbotham, S., Mitra, S., & Ramsey, J. (2012). Are markets for vulnerabilities effective?. MIS Quarterly, 43-64.</li> <li>Dey, D., Lahiri, A., & Zhang, G. (2015). Optimal policies for security patch management. INFORMS Journal on Computing, 27(3), 462-477.</li> <li>August, T., Dao, D., & Kim, K. (2019). Market segmentation and software security: Pricing patching rights. Management Science. In Press.</li> <li>Kenna Security and Cyentia Institute. Prioritization to prediction, volume 3. Technical report, Kenna Security, July 2019.</li> <li>Allodi, L., and Massacci, F, (2014). Comparing Vulnerability Severity and Exploits Using Case-Control Studies. ACM Trans. Inf. Syst. Secur. 17, 1, Article 1 (August 2014), 20 pages. DOI:<a href="https://doi.org/10.1145/2630069">https://doi.org/10.1145/2630069</a></li> <li>Allodi L. (2015) The Heavy Tails of Vulnerability Exploitation. In: Piessens F., Caballero J., Bielova N. (eds) Engineering Secure Software and Systems. ESSoS 2015. Lecture Notes in Computer Science, vol 8978. Springer, Cham. <a href="https://doi.org/10.1007/978-3-319-15618-7_11">https://doi.org/10.1007/978-3-319-15618-7_11</a></li> <li>Allodi, L., Corradin, M., and Massacci, F, (2016), "Then and Now: On the Maturity of the Cybercrime Markets The Lesson That Black-Hat Marketeers Learned," in IEEE Transactions on Emerging Topics in Computing, vol. 4, no. 1, pp. 35-46, Jan.-March 2016, doi: 10.1109/TETC.2015.2397395.</li> <li>Allodi, L., (2017), Economic Factors of Vulnerability Trade and Exploitation. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS '17). Association for Computing Machinery, New York, NY, USA, 1483–1499. DOI:<a href="https://doi.org/10.1145/3133956.3133960">https://doi.org/10.1145/3133956.3133960</a></li> <li>Allodi, L. and Massacci, F. (2017), Security Events and Vulnerability Data for Cybersecurity Risk Estimation. Risk Analysis, 37: 1606–1627. doi:10.1111/risa.12864</li> <li>Allodi, L., Massacci, F. and Williams, J. (2021), The Work‐Averse Cyberattacker Model: Theory and Evidence from Two Million Attack Signatures. Risk Analysis. <a href="https://doi.org/10.1111/risa.13732">https://doi.org/10.1111/risa.13732</a></li> </ol> <h2 id="Vulnerability-Disclosure-Policies-Timing">Vulnerability Disclosure Policies, Timing</h2> <ol> <li>Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management science, 51(5), 726-740.</li> <li>Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2007). Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Transactions on Software Engineering, 33(3), 171-185.</li> <li>Cavusoglu, H., H. Cavusoglu, and J. Zhang (2008). Security patch management: Share the burden or share the damage? Management Science 54(4), 657–670.</li> <li>Sabyasachi Mitra and Sam Ransbotham. The effects of vulnerability disclosure policy on the diffusion of security attacks. Information Systems Research, 26(3):565–584, 2015.</li> <li>Boechat, F., Ribas, G., Senos, L., Bicudo, M., Nogueira, M. S., de Aguiar, L. P., & Menasche, D. S. (2021). Is Vulnerability Report Confidence Redundant? Pitfalls Using Temporal Risk Scores. IEEE Security & Privacy, (01), 2-11.</li> </ol> <h2 id="Vulnerability-Modeling">Vulnerability Modeling</h2> <ol> <li>Afsah Anwar, Ahmed Abusnaina, Songqing Chen, Frank Li, David Mohaisen, (2020) Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses, available at arXiv:2006.15074v1.</li> <li>Miranda, L., Vieira, D., de Aguiar, L. P., Menasche, D. S., Bicudo, M., Nogueira, M., ... & Lovat, E. (2021). On the Flow of Software Security Advisories. IEEE Transactions on Network and Service Management.</li> <li>R. A. Miura-Ko and N. Bambos, "SecureRank: A Risk-Based Vulnerability Management Scheme for Computing Infrastructures," 2007 IEEE International Conference on Communications, 2007, pp. 1455-1460, doi: 10.1109/ICC.2007.244. </li> <li>H. Chen, J. Liu, R. Liu, N. Park and V. S. Subrahmanian, “VEST: A System for Vulnerability Exploit Scoring & Timing”, Proceedings of the Twenty-Eighth International Joint Conference on Artificial Intelligence, 2019, pp. 6503-6505, doi: 10.24963/ijcai.2019/937.</li> <li>H. Chen, J. Liu, R. Liu, N. Park and V. S. Subrahmanian, "VASE: A Twitter-Based Vulnerability Analysis and Score Engine," 2019 IEEE International Conference on Data Mining (ICDM), 2019, pp. 976-981, doi: 10.1109/ICDM.2019.00110.</li> <li>Andrey Nikonov, Alexey Vulfin, Vladimir Vasilyev, Anastasia Kirillova, Vladimir Mikhailov, "System for Estimation CVSS Severity Metrics of Vulnerability Based on Text Mining Technology", Information Technology and Nanotechnology (ITNT) 2021 International Conference, pp. 1-5, 2021.</li> <li>M. Walkowski, M. Krakowiak, M. Jaroszewski, J. Oko and S. Sujecki, "Automatic CVSS-based Vulnerability Prioritization and Response with Context Information," 2021 International Conference on Software, Telecommunications and Computer Networks (SoftCOM), 2021, pp. 1-6, doi: 10.23919/SoftCOM52868.2021.9559094.</li> <li>Walkowski, M.; Oko, J.; Sujecki, S., “Vulnerability Management Models Using a Common Vulnerability Scoring System”, Appl. Sci. 2021, 11, 8735. <a href="https://doi.org/10.3390/app11188735">https://doi.org/10.3390/app11188735</a></li> </ol> <h2 id="Modeling-Techniques-and-Foundations">Modeling Techniques and Foundations</h2> <ol> <li>Arthur E Hoerl and Robert W Kennard. Ridge regression: Biased estimation for nonorthogonal problems. Technometrics, 12(1):55–67, 1970.</li> <li>Chinchor, Nancy. (1992). MUC-4 evaluation metrics. Proceedings of the Fourth Message Understanding Conference. 22-29. 10.3115/1072064.1072067.</li> <li>Kubat, M & Matwin, Stan. (2000). Addressing the Curse of Imbalanced Training Sets: One-Sided Selection. Fourteenth International Conference on Machine Learning.</li> <li>Hui Zou and Trevor Hastie. Regularization and variable selection via the elastic net. Journal of the royal statistical society: series B (statistical methodology), 67(2):301–320, 2005.</li> <li>Rose, Stuart & Engel, Dave & Cramer, Nick & Cowley, Wendy. (2010). Automatic Keyword Extraction from Individual Documents. Text Mining: Applications and Theory. 1 - 20. 10.1002/9780470689646.ch1.</li> <li>Alfredo Vellido, José David Martín-Guerrero, and Paulo JG Lisboa. Making machine learning models interpretable. In ESANN, volume 12, pages 163–172. Citeseer, 2012.</li> <li>Federico Cabitza, Raffaele Rasoini, and Gian Franco Gensini. Unintended consequences of machine learning in medicine. Jama, 318(6):517–518, 2017.</li> <li>Jonathan H Chen and StevenMAsch. Machine learning and prediction in medicine—beyond the peak of inflated expectations. The New England journal of medicine, 376(26):2507, 2017</li> <li>Chen, T., Guestrin, C., (2016) XGBoost: A Scalable Tree Boosting System, KDD ’16, San Francisco, CA. Available at <a href="https://arxiv.org/abs/1603.02754">https://arxiv.org/abs/1603.02754</a>. Last accessed February 16, 2019.</li> <li>Finale Doshi-Velez and Been Kim. Towards a rigorous science of interpretable machine learning. arXiv preprint arXiv:1702.08608, 2017.</li> </ol></div></div><div id="navbar" data-studio="CU52CV1W8g"><div id="c4" data-studio="Yu8FjCC11g"><ul class="navbar"><li><a href="/epss">Exploit Prediction Scoring System (EPSS)</a><ul><li><a href="/epss/model">The EPSS Model</a></li><li><a href="/epss/data_stats">Data and Statistics</a></li><li><a href="/epss/user-guide">User Guide</a></li><li><a href="/epss/research">EPSS Research and Presentations</a></li><li><a href="/epss/faq">Frequently Asked Questions</a></li><li><a href="/epss/who_is_using">Who is using EPSS?</a></li><li><a href="/epss/epss_tools">Open-source EPSS Tools</a></li><li><a href="/epss/api">API</a></li><li><a href="/epss/papers">Related Exploit Research</a></li><li><a>Blog</a><ul><li><a href="/epss/articles/prob_percentile_bins">Understanding EPSS Probabilities and Percentiles</a></li><li><a href="/epss/articles/log4shell">Log4Shell Use Case</a></li><li><a href="/epss/articles/estimating_old_cvss">Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities</a></li></ul></li><li><a href="/epss/partners">Data Partners</a></li></ul></li></ul></div></div><div id="sidebar" data-studio="CU52CV1W8g"></div><footer><div id="footer" data-studio="CU52CV1W8g"><div id="c2" data-studio="Yu8FjCC11g"><div class="content"> <div class="support"> <div class="kbsearch bottom"> <p><a href="https://support.first.org"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a> <input class="kb-search" type="search" placeholder="Do you need help?"></p> </div> </div> <div id="socialnetworks"><a href="/about/sdg" title="FIRST Supported Sustainable Development Goals (SDG)" class="icon-sdg"></a><a rel="me" href="https://bsky.app/profile/first.org" target="_blank" title="BlueSky @first.org" class="icon-bluesky"></a><a rel="me" href="https://infosec.exchange/@firstdotorg" target="_blank" title="@FIRSTdotOrg@infosec.exchange" class="icon-mastodon"></a><a href="https://twitter.com/FIRSTdotOrg" target="_blank" title="Twitter @FIRSTdotOrg" class="icon-tw"></a><a href="https://www.linkedin.com/company/firstdotorg" target="_blank" title="FIRST.Org at LinkedIn" class="icon-linkedin"></a><a href="https://www.facebook.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Facebook" class="icon-fb"></a><a href="https://github.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Github" class="icon-github"></a><a href="https://www.youtube.com/c/FIRSTdotorg" target="_blank" title="FIRST.Org at Youtube" class="icon-youtube"></a><a href="/podcasts" title="FIRST.Org Podcasts" class="icon-podcast"></a></div> <p><a href="/copyright">Copyright</a> © 2015—2025 by Forum of Incident Response and Security Teams, Inc. All Rights Reserved.</p> </div> <p><span class="tlp"></span></p></div></div></footer><script nonce="twx2jD_y8vtsjoyiI6gkiw" async="async" src="/_/web.js?20250108234724"></script><script nonce="twx2jD_y8vtsjoyiI6gkiw" async="async" src="/_/s.js?20250103-103952"></script></body></html>