Time series modeling of vulnerabilities

“…Although both modeling approaches can be either descriptive or predictive (Höök et al, 2011), the distinction rather underlines the difference between statistical (empirical) and mathematical (mechanical) models; between stochastic and deterministic models -in essence, between statistical time series models and differential equations. The empirical approach follows the latter course, but not without statistical assessments over the plausibility of the mechanical models in a context that is not mechanical (for the other course see Roumani et al, 2015). The approach is subsequently elaborated with an introduction of the empirical data, a brief discussion of two growth functions, and an outline of computational details.…”

“…While measures from the last group, which assess whether the future direction goes up or down, have been sometimes used in the curve fitting context (López et al, 2004), the magnitude measures have been more common (Suominen and Seppänen, 2014;Young, 1993). The usual suspects in this group are the mean square error, the mean absolute deviation, and the mean absolute percentage error (MAPE), which all have their own limitations (Hendry and Clements, 2000;Roumani et al, 2015). As the last one is arguably the most intuitive, it was adopted for the tentative forecast evaluation.…”

The sigmoidal growth of operating system security vulnerabilities: An empirical revisit

“…Although both modeling approaches can be either descriptive or predictive (Höök et al, 2011), the distinction rather underlines the difference between statistical (empirical) and mathematical (mechanical) models; between stochastic and deterministic models -in essence, between statistical time series models and differential equations. The empirical approach follows the latter course, but not without statistical assessments over the plausibility of the mechanical models in a context that is not mechanical (for the other course see Roumani et al, 2015). The approach is subsequently elaborated with an introduction of the empirical data, a brief discussion of two growth functions, and an outline of computational details.…”

“…While measures from the last group, which assess whether the future direction goes up or down, have been sometimes used in the curve fitting context (López et al, 2004), the magnitude measures have been more common (Suominen and Seppänen, 2014;Young, 1993). The usual suspects in this group are the mean square error, the mean absolute deviation, and the mean absolute percentage error (MAPE), which all have their own limitations (Hendry and Clements, 2000;Roumani et al, 2015). As the last one is arguably the most intuitive, it was adopted for the tentative forecast evaluation.…”

The sigmoidal growth of operating system security vulnerabilities: An empirical revisit

“…As the NVD is considered a standard for consulting vulnerability data, many research works use only the NVD as their vulnerability database (e.g., [42,47,50,55]). This is a natural choice since the NVD includes multiple resources for further understanding of the issue at hand.…”

“…The research community has shown many different uses for OSINT, from its collection and processing [25,28,35,40,43,48,54,59], vulnerability life cycle analysis [27,30,42,50,56], to evaluating vulnerability exploitability [23,30,31,37,45]. There are two predominant OSINT sources in the literature: NVD (e.g., [23, 30, 31, 37, 42, 45, 47, 49-51, 55, 56]), and Twitter (e.g., [25, 32, 35, 37, 39-41, 43, 44, 48, 51, 53, 55, 58, 59]).…”

Follow the Blue Bird: A Study on Threat Data Published on Twitter

“…In recent years, some software vulnerability disclosure process models were developed using traditional time series models like Auto Regressive Moving Average (ARIMA) [21]. However, vulnerability disclosure data contain a lot of nonlinearity and thus traditional time series models might not be appropriate [22].…”

Vulnerability prediction capability: A comparison between vulnerability discovery models and neural network models