Evaluating The Impact Of Time-To-Exploit Estimation For Vulnerability Prioritization

Abstract

Recently, security vulnerabilities have increased significantly, as this study addresses the issue of prioritizing them by developing a predictive model that estimates the time required to exploit them. Data obtained from multiple sources was used to develop this model, including a unified Kaggle dataset, which combines data from three reliable sources: the National Vulnerability Database (NVD), the CISA Known Exploitable Vulnerabilities (KEV) list, and the Exploitation Prediction Score System (EPSS). Data from both ExploitDB and CISA KEV list was also used. The dataset was divided into training (2021-2023) and testing (2024) sets, to compensate for the lack of confirmed exploitation dates, isotonic regression was used to model the monotonic relationship between EPSS scores and actual exploitation dates, as a methodological alternative. We also evaluated three regression models: the best results for the test set were shown in the  XGBoost model (MAE=2.98 days, RMSE=12.20 days, R²=0.936, MAPE=14.43%), while the Random Forest performed the baseline linear regression model (MAE=2.77, RMSE=14.59, R²=0.908, MAPE=13.43% vs. MAE=18.48, RMSE=24.57, R²=0.740, MAPE=51.50%). To interpret these predictions into actionable information, the estimated "Time To Exploit" was transformed into a "Composite Priority Index" that combines the predicted speed of exploitation with the probability score, the Exploitation Potential Scoring System (EPSS) was then used to categorize vulnerabilities into the following levels: urgent, high, medium, and low. This approach improved our ability to identify high-risk vulnerabilities early by incorporating time-based data, compared to relying solely on static criteria.The results show that incorporating the time dimension enhances its reliability and wider applicability