Consensus forecasting of zero-day vulnerabilities for network security

Abstract

Network defenders are locked in a constant race with attackers as they try to defend their networks. The defenders suffer from a huge disadvantage: they lack knowledge of the existence of zero-day vulnerabilities that have not been yet been discovered or publically disclosed, but that are still weakening the security of their networks. It would be a huge advantage to these defenders if they had some idea of where and when these vulnerabilities would appear and how severe they would be. The research presented here is directed towards producing accurate forecasts of the location and severity of zero-day vulnerabilities that will be discovered in the next 12-24 months. Forecasts of future zero-day vulnerabilities can be incorporated into Attack Surface security metrics that calculate the security posture of a network. Incorporating yet-to-be-discovered vulnerabilities into these calculations will alert network defenders to potential areas of weakness before they become a problem. In this research, three distinct forecasting model suites based on regression models and machine learning are used. These forecast model suites are applied to zero-day vulnerability discovery at the global and category (web browser, operating system, and video player) levels. Preliminary results demonstrate, as expected, that different models provide better forecasts at different times, but that it is difficult to predict which models will perform better under which circumstances. Therefore, the outputs of the forecast models are combined using consensus models based on Quantile Regression Averaging (QRA) and other techniques. These consensus models are expected to perform better than most individual forecast models over time, and experimental results demonstrate the strength of these consensus models. It is also important to understand the margin of error in these forecasts. QRA and other methods generate 68% and 95% confidence bounds around the forecasts, which give network defenders an idea of the best- and worst-case scenarios for which they should prepare. Experimental results generated by the consensus models demonstrate the strength of the forecasts and the confidence bounds. The results make a strong case for continuing this work by applying it to individual software applications.