Model Documentation for Ranking CVEs Based on Priority and Criticality
The model evaluates CVEs using a composite score that reflects multiple critical factors, enabling prioritization based on risk, urgency, and exploitation potential. Below is a detailed breakdown of the model components, scoring weights, and how the CVEs are ranked.
1. Model Components
The ranking model is based on five key features:
- KEV (Known Exploited Vulnerability): This binary feature indicates whether the vulnerability is actively exploited in the wild. Actively exploited vulnerabilities represent the highest priority.
-
Weight: 3 (if True, otherwise 0)
-
CVSS (Common Vulnerability Scoring System) Score: This is a standard score representing the severity of the vulnerability, ranging from 0 to 10. A higher score indicates greater severity and impact.
-
Weight: 2 (multiplied by the CVSS score)
-
EPSS (Exploit Prediction Scoring System): EPSS represents the likelihood that a vulnerability will be exploited in the future, expressed as a percentage. This factor assesses the risk of exploitation.
-
Weight: 2 (multiplied by the average EPSS score)
-
EPSS Trend Calculation: The
calculate_epss_trend()function determines whether the EPSS scores are trending upward, downward, or stable based on a 5% threshold difference between the first and last values in the 30-day data. -
Trend-Based Weighting:
- Upward Trend: EPSS average is multiplied by 3 (indicating higher exploitation risk).
- Downward Trend: EPSS average is multiplied by 1 (lower risk).
- Stable Trend: EPSS average is multiplied by 2 (consistent risk).
-
CWE Top 25: This feature indicates whether the vulnerability belongs to the CWE Top 25 list of the most dangerous software weaknesses. These vulnerabilities often lead to severe impacts like code execution, privilege escalation, or data breaches.
-
Weight: 1.5 (if True, otherwise 0)
-
Priority Level: This represents the urgency of the vulnerability as labeled (e.g., "Hot News" or "Priority 1+"). This field is treated as a baseline and given a placeholder weight of 1. It can be refined if needed based on specific context or business needs.
- Weight: 1 (uniform placeholder)
2. CVE Ranking by Priority
The CVEs are then ranked based on their composite scores, from highest to lowest. Below is the list of top CVEs ordered by their composite score:
| Rank | CVE ID | CVSS | KEV | EPSS Average (%) | CWE Top 25 | Composite Score |
|---|---|---|---|---|---|---|
| 1 | CVE-2022-22965 | 9.8 | True | 97.48 | True | 220.06 |
| 2 | CVE-2022-22965 | 9.8 | True | 97.48 | True | 220.06 |
| 3 | CVE-2022-22965 | 9.8 | True | 97.48 | True | 220.06 |
| 4 | CVE-2022-22965 | 9.8 | True | 97.48 | True | 220.06 |
| 5 | CVE-2022-22965 | 9.8 | True | 97.48 | True | 220.06 |
(Note: This sample shows CVE-2022-22965 multiple times due to the structure of the data.)
3. Explanation of Results
- CVE-2022-22965 ranks highest because:
- It has a high CVSS score (9.8), indicating critical severity.
- It is a Known Exploited Vulnerability (KEV), meaning attackers are actively exploiting this vulnerability.
- It has a high EPSS score (97.48%), showing a very high likelihood of future exploitation.
- It belongs to the CWE Top 25, further increasing its criticality.
This combination of factors justifies its ranking as the most urgent and dangerous vulnerability in the dataset.
5. Model Application and Flexibility
This model is flexible and can be adapted based on:
- Business Context: Organizations may adjust the weights or include additional custom factors.
- Additional Inputs: New features, such as vulnerability age or patch availability, can be incorporated into the model.
Metrics
Measuring and verifying the efficiency of a vulnerability prioritization model involves assessing both the accuracy of its risk assessment and its practical impact on cybersecurity operations. Here are several methods and metrics used to measure and verify the efficiency of the model:
1. Ground Truth Comparison
- Objective: Compare the modelโs results with known real-world attack data.
- Process: Use datasets of actual exploited vulnerabilities (such as those from MITRE's KEV list or incident reports from cybersecurity companies) and check how the model ranks these vulnerabilities. If high-priority CVEs according to the model are also frequently exploited in the wild, it demonstrates accuracy.
- Metric: Precision at the Top โ a metric that assesses how many of the top-ranked CVEs in the model are actually being exploited or causing incidents.
2. Exploit Detection
- Objective: Measure how well the model predicts which vulnerabilities are likely to be exploited.
- Process: Compare the vulnerabilities that the model identifies as high-priority (based on factors like CVSS, EPSS, KEV) with actual exploitation reports over a period (e.g., last 6-12 months).
- Metric: Exploit Prediction Accuracy โ the proportion of vulnerabilities the model prioritized that are later found to be exploited.
3. EPSS Verification
- Objective: Compare model outcomes with EPSS data to verify if vulnerabilities that have a high likelihood of exploitation are correctly prioritized.
- Process: Check if the model ranks vulnerabilities with a high EPSS score in the top tiers. A mismatch could indicate that the model is over-weighting other factors.
- Metric: Correlation with EPSS Score โ how well the CVEs ranked by the model align with their EPSS scores. Strong correlations indicate the model is effectively predicting future exploitation.
$### 4. Operational Efficiency Metrics
- Objective: Evaluate how the model improves operational responses in security teams.
- Process: Measure the reduction in time taken to patch or mitigate vulnerabilities by comparing remediation times before and after implementing the model.
- Metric: Mean Time to Patch (MTTP) โ time taken from vulnerability identification to patching. A reduction in MTTP suggests that the model helps teams focus on critical vulnerabilities more effectively.
5. Incident Reduction
- Objective: Measure if using the model leads to a reduction in security incidents.
- Process: Track security incidents tied to CVEs before and after using the model to prioritize vulnerabilities. Ideally, the model should help reduce incidents caused by missed or delayed vulnerability patching.
- Metric: Incident Rate Reduction โ the decrease in incidents related to CVEs that were deprioritized by the model but later exploited.
6. False Positives/False Negatives
- Objective: Analyze how often the model incorrectly ranks low-risk vulnerabilities as high priority (false positives) or critical vulnerabilities as low priority (false negatives).
- Process: Compare the list of high-priority CVEs against non-exploited vulnerabilities and vice versa. False positives lead to wasted resources, while false negatives expose organizations to unnecessary risk.
- Metric: False Positive/Negative Rate โ a lower rate of false negatives and an acceptable level of false positives indicate a balanced model.
7. Feedback from Security Operations Teams
- Objective: Measure the practical usefulness of the model in real-world security operations.
- Process: Collect feedback from SOC (Security Operations Center) teams and vulnerability management personnel. Ask whether the model's prioritization aligns with their experience, and whether it helps them focus on vulnerabilities that matter most.
- Metric: User Satisfaction Score โ gathered from surveys or feedback forms from the teams using the model.
8. A/B Testing
- Objective: Test the impact of the model in real-world environments by comparing it to alternative models or manual prioritization.
- Process: Implement A/B testing where one team uses the model to prioritize vulnerabilities while another follows a traditional or different approach. Compare the outcomes in terms of patching speed, exploit avoidance, and incident reduction.
- Metric: Relative Performance โ improvement in operational metrics (e.g., MTTP, exploit avoidance) when using the model compared to alternative methods.
9. Automation and Scalability
- Objective: Evaluate how well the model scales and adapts to large datasets with frequent updates.
- Process: Measure the time it takes to process and prioritize new vulnerabilities as they emerge.
- Metric: Model Throughput โ how quickly the model processes new CVEs and updates priority lists in response to new data (e.g., emerging exploits or updated EPSS scores).
10. Real-World Validation through Incident Correlation
- Objective: Assess whether the model correctly identifies vulnerabilities that contributed to real-world breaches or significant incidents.
- Process: After a significant incident, compare the vulnerabilities involved against the modelโs prioritization. Determine if the vulnerability in question was given sufficient priority before the incident.
- Metric: Incident Correlation Score โ the model's ability to highlight vulnerabilities that eventually led to incidents.
Example Metrics Summary:
- Precision at the Top: Measures how often the highest-ranked vulnerabilities are actively exploited.
- Exploit Prediction Accuracy: How well the model predicts exploitation.
- MTTP: Measures the impact on remediation speed.
- False Positive/Negative Rate: The number of incorrect rankings.
- User Satisfaction: Practical usefulness according to operational teams.