Risk assessment of vulnerabilities exploitation

M. Fátima Brilhante; Pedro Pestana; M. Luísa Rocha; Fernando Sequeira

doi:10.1007/978-3-031-68949-9_6

Risk assessment of vulnerabilities exploitation

M. Fátima Brilhante^*, Pedro Pestana, M. Luísa Rocha, Fernando Sequeira

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Citation (Scopus)

Abstract

Using the Kolmogorov–Smirnov, Cramér–von Mises and Anderson–Darling tests, and the not so commonly applied Vuong’s test, it is shown that a two components hyperlog-logistic distribution, i.e., a mixture of two geo-max-stable log-logistic distributions, provides a good fit for the time from disclosure to update of vulnerabilities sampled from the CVEdetails.com database. It is also shown that the hyperlog-logistic distribution provides a better fit than a heavy-tailed distribution of maxima, or a log-logistic distribution, or even a heavy-tailed two components hyperexponential distribution. Moreover, ways of incorporating uncertainty and of modeling vulnerabilities lifecycle into the Common Vulnerabilities Scoring System (CVSS), the most widely used score to assess severity of vulnerabilities, are discussed, in order to obtain an improved CVSS calculator and the evolution of a score over time.

Original language	English
Title of host publication	New frontiers in statistics and data science
Subtitle of host publication	SPE2023
Editors	Lígia Henriques-Rodrigues, Raquel Menezes, Luís Meira Machado, Susana Faria, Miguel de Carvalho
Publisher	Springer
Pages	69-82
Number of pages	14
Edition	1
ISBN (Electronic)	9783031689499
ISBN (Print)	9783031689482, 9783031726071
DOIs	https://doi.org/10.1007/978-3-031-68949-9_6
Publication status	Published - Jan 2025
Event	26th Congress of the Portuguese Statistical Society, SPE 2023 - Evora, Portugal Duration: 13 Oct 2021 → 16 Oct 2021

Publication series

Name	Springer Proceedings in Mathematics and Statistics
ISSN (Print)	2194-1009
ISSN (Electronic)	2194-1017

Conference

Conference	26th Congress of the Portuguese Statistical Society, SPE 2023
Country/Territory	Portugal
City	Evora
Period	13/10/21 → 16/10/21

Keywords

CVSS modifier
Heavy-tailed distributions
Hyperlog-logistic distribution
Vulnerabilities
Vulnerabilities lifecycle

Access to Document

10.1007/978-3-031-68949-9_6

Cite this

Brilhante, M. F., Pestana, P., Rocha, M. L., & Sequeira, F. (2025). Risk assessment of vulnerabilities exploitation. In L. Henriques-Rodrigues, R. Menezes, L. M. Machado, S. Faria, & M. de Carvalho (Eds.), New frontiers in statistics and data science: SPE2023 (1 ed., pp. 69-82). (Springer Proceedings in Mathematics and Statistics). Springer. https://doi.org/10.1007/978-3-031-68949-9_6

@inproceedings{a12e02d390dd4062b72cdd950716b6c8,

title = "Risk assessment of vulnerabilities exploitation",

abstract = "Using the Kolmogorov–Smirnov, Cram{\'e}r–von Mises and Anderson–Darling tests, and the not so commonly applied Vuong{\textquoteright}s test, it is shown that a two components hyperlog-logistic distribution, i.e., a mixture of two geo-max-stable log-logistic distributions, provides a good fit for the time from disclosure to update of vulnerabilities sampled from the CVEdetails.com database. It is also shown that the hyperlog-logistic distribution provides a better fit than a heavy-tailed distribution of maxima, or a log-logistic distribution, or even a heavy-tailed two components hyperexponential distribution. Moreover, ways of incorporating uncertainty and of modeling vulnerabilities lifecycle into the Common Vulnerabilities Scoring System (CVSS), the most widely used score to assess severity of vulnerabilities, are discussed, in order to obtain an improved CVSS calculator and the evolution of a score over time.",

keywords = "CVSS modifier, Heavy-tailed distributions, Hyperlog-logistic distribution, Vulnerabilities, Vulnerabilities lifecycle",

author = "Brilhante, {M. F{\'a}tima} and Pedro Pestana and Rocha, {M. Lu{\'i}sa} and Fernando Sequeira",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; 26th Congress of the Portuguese Statistical Society, SPE 2023 ; Conference date: 13-10-2021 Through 16-10-2021",

year = "2025",

month = jan,

doi = "10.1007/978-3-031-68949-9_6",

language = "English",

isbn = "9783031689482",

series = "Springer Proceedings in Mathematics and Statistics",

publisher = "Springer",

pages = "69--82",

editor = "L{\'i}gia Henriques-Rodrigues and Raquel Menezes and Machado, {Lu{\'i}s Meira} and Susana Faria and {de Carvalho}, Miguel",

booktitle = "New frontiers in statistics and data science",

address = "Germany",

edition = "1",

}

Brilhante, MF, Pestana, P, Rocha, ML & Sequeira, F 2025, Risk assessment of vulnerabilities exploitation. in L Henriques-Rodrigues, R Menezes, LM Machado, S Faria & M de Carvalho (eds), New frontiers in statistics and data science: SPE2023. 1 edn, Springer Proceedings in Mathematics and Statistics, Springer, pp. 69-82, 26th Congress of the Portuguese Statistical Society, SPE 2023, Evora, Portugal, 13/10/21. https://doi.org/10.1007/978-3-031-68949-9_6

Risk assessment of vulnerabilities exploitation. / Brilhante, M. Fátima; Pestana, Pedro; Rocha, M. Luísa et al.
New frontiers in statistics and data science: SPE2023. ed. / Lígia Henriques-Rodrigues; Raquel Menezes; Luís Meira Machado; Susana Faria; Miguel de Carvalho. 1. ed. Springer, 2025. p. 69-82 (Springer Proceedings in Mathematics and Statistics).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Risk assessment of vulnerabilities exploitation

AU - Brilhante, M. Fátima

AU - Pestana, Pedro

AU - Rocha, M. Luísa

AU - Sequeira, Fernando

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025/1

Y1 - 2025/1

N2 - Using the Kolmogorov–Smirnov, Cramér–von Mises and Anderson–Darling tests, and the not so commonly applied Vuong’s test, it is shown that a two components hyperlog-logistic distribution, i.e., a mixture of two geo-max-stable log-logistic distributions, provides a good fit for the time from disclosure to update of vulnerabilities sampled from the CVEdetails.com database. It is also shown that the hyperlog-logistic distribution provides a better fit than a heavy-tailed distribution of maxima, or a log-logistic distribution, or even a heavy-tailed two components hyperexponential distribution. Moreover, ways of incorporating uncertainty and of modeling vulnerabilities lifecycle into the Common Vulnerabilities Scoring System (CVSS), the most widely used score to assess severity of vulnerabilities, are discussed, in order to obtain an improved CVSS calculator and the evolution of a score over time.

AB - Using the Kolmogorov–Smirnov, Cramér–von Mises and Anderson–Darling tests, and the not so commonly applied Vuong’s test, it is shown that a two components hyperlog-logistic distribution, i.e., a mixture of two geo-max-stable log-logistic distributions, provides a good fit for the time from disclosure to update of vulnerabilities sampled from the CVEdetails.com database. It is also shown that the hyperlog-logistic distribution provides a better fit than a heavy-tailed distribution of maxima, or a log-logistic distribution, or even a heavy-tailed two components hyperexponential distribution. Moreover, ways of incorporating uncertainty and of modeling vulnerabilities lifecycle into the Common Vulnerabilities Scoring System (CVSS), the most widely used score to assess severity of vulnerabilities, are discussed, in order to obtain an improved CVSS calculator and the evolution of a score over time.

KW - CVSS modifier

KW - Heavy-tailed distributions

KW - Hyperlog-logistic distribution

KW - Vulnerabilities

KW - Vulnerabilities lifecycle

UR - http://www.scopus.com/inward/record.url?scp=85218083444&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-68949-9_6

DO - 10.1007/978-3-031-68949-9_6

M3 - Conference contribution

AN - SCOPUS:85218083444

SN - 9783031689482

SN - 9783031726071

T3 - Springer Proceedings in Mathematics and Statistics

SP - 69

EP - 82

BT - New frontiers in statistics and data science

A2 - Henriques-Rodrigues, Lígia

A2 - Menezes, Raquel

A2 - Machado, Luís Meira

A2 - Faria, Susana

A2 - de Carvalho, Miguel

PB - Springer

T2 - 26th Congress of the Portuguese Statistical Society, SPE 2023

Y2 - 13 October 2021 through 16 October 2021

ER -

Risk assessment of vulnerabilities exploitation

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

CITAR: Research Center for Science and Technology of the Arts

Cite this

Risk assessment of vulnerabilities exploitation

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Projects

CITAR: Research Center for Science and Technology of the Arts

Cite this