Data

Tools

Indexes

Applications

Experiments

Open Source Science

vuln4cast

A collection of data fetchers, and simple quarterly and yearly CVE forecasting models.

https://github.com/firstdotorg/vuln4cast

Science Score: 57.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
    Found 2 DOI reference(s) in README
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (13.4%) to scientific vocabulary

Keywords

cve-forecast cve-prediction vulnerability-forecast vulnerability-prediction
Last synced: 6 months ago · JSON representation ·

Repository

A collection of data fetchers, and simple quarterly and yearly CVE forecasting models.

Basic Info
  • Host: GitHub
  • Owner: FIRSTdotorg
  • License: apache-2.0
  • Language: Jupyter Notebook
  • Default Branch: main
  • Homepage:
  • Size: 6.78 MB
Statistics
  • Stars: 39
  • Watchers: 12
  • Forks: 4
  • Open Issues: 4
  • Releases: 1
Topics
cve-forecast cve-prediction vulnerability-forecast vulnerability-prediction
Created almost 3 years ago · Last pushed 9 months ago
Metadata Files
Readme License Citation

README.md

Vuln4Cast

What is this repository all about?

This repository holds the code that uses NVD data to demonstrate that it is possible to forecast vulnerabilities with reasonable accuracy both quarterly and yearly. We believe this is foundational rather than an end result. In other words, this forecasting will enable other research to be performed that might not have existed before. We encourage you to make more accurate forecasts, or extend the lookahead window, or make sub-forecasts for specific vendors.

Quickstart

Clone this repository, configure a suitable Python 3 and Jupyter Notebook environment.

git clone https://github.com/FIRSTdotorg/Vuln4Cast.git cd Vuln4Cast pip install -r requirements.txt

Before running the analysis, you will need to run the code to fetch NVD data, see NVDDataFetch-V1.ipynb. This builds directory structures, fetches data from NVD (and CVE), and unpacks that data into formats that are easier to work with. This will take a few minutes depending on your network.

Binder Open In Colab

Analysis

Once the data has been fetched, you can run either the quarterly or yearly forecasts, e.g. YearlyVuln4Cast-V1.ipynb. They each use a Sarimax model that gives good results, and we consider as a benchmark for your own research to beat. They also contain a hurst exponent analysis that should demonstrate that it is both possible to forecast, and there is long term trending in the data. Other graphs help demonstrate features useful to forecasters who will wish to extend or improve the work.

If all of this interests you, we encourage you to get in touch, and help us build a community dedicated to prediction and forecasting of vulnerabilities. We believe we are part of a wider movement of cyber risk quantification that includes our allies like EPSS. They predict exploitation of CVEs rather than CVE volumes. We honestly foresee a world in which these techniques become combined and even perhaps the economic damage of explotation can be predicted as well.

To cite the original paper

See the PAPERCITATION.bib file or:

Éireann Leverett, Matilda Rhode, and Adam Wedgbury. 2022. Vulnerability Forecasting: Theory and Practice. Digital Threats 3, 4, Article 42 (mar2022), 27 pages. https://doi.org/10.1145/3492328

To cite this codebase if you use it for your own paper

See the CITATION.cff file or:

Leverett, É; Rhode, M; Burns, E; Manion, A (2023) Vuln4Cast source code (Version 1.0.0) [Source code]. https://github.com/FIRSTdotorg/Vuln4Cast/

Owner

  • Name: FIRST.Org, Inc.
  • Login: FIRSTdotorg
  • Kind: organization
  • Email: first-tech@first.org

Forum of Incident Response and Security Teams

Citation (CITATION.cff) 

cff-version: 1.2.0
message: "If you use this software, please cite it as below."
authors:
- family-names: "Éireann"
  given-names: "Leverett"
  orcid: "https://orcid.org/0000-0001-6586-7359"
- family-names: "Matilda"
  given-names: "Rhode"
- family-names: "Erin"
  given-names: "Burns"
 - family-names: "Art"
  given-names: "Manion"
  
title: "Vuln4Cast"
version: 1.0.0
doi: 10.5281/zenodo.1234
date-released: 2023-05-20
url: "https://github.com/FIRSTdotorg/Vuln4Cast/releases"

GitHub Events

Total
  • Watch event: 5
  • Push event: 2
  • Pull request review event: 1
  • Pull request event: 2
Last Year
  • Watch event: 5
  • Push event: 2
  • Pull request review event: 1
  • Pull request event: 2

Dependencies

requirements.txt pypi
  • Requests ==2.30.0
  • hurst ==0.0.5
  • jq ==1.4.1
  • matplotlib ==3.7.1
  • numpy ==1.24.1
  • pandas ==1.5.3
  • python_dateutil ==2.8.2
  • scikit_learn ==1.2.2
  • statsmodels ==0.14.0
  • tqdm ==4.65.0