Historical Analysis of Exploit Availability Timelines

Authors: 

Allen D. Householder, Carnegie Mellon University; Jeff Chrabaszcz, Govini; Trent Novelly, Carnegie Mellon University; David Warren, SEI CERT; Jonathan M. Spring, Carnegie Mellon University

Long Research Paper

Abstract: 

Vulnerability management is an important cybersecurity function. Within vulnerability management, there are multiple points where knowing whether an exploit targeting a given vulnerability is publicly available would inform vulnerability mitigation priority. Despite the value of this question, there is no available historical baseline of when and how many vulnerabilities get associated public exploits. We analyze all vulnerabilities with CVE-IDs since two common repositories of public exploit data became available and find that 4.1+/-0.1% of CVE-IDs have public exploit code associated with them within 365 days. We analyze eight features of a CVE-ID for how they influence exploit publication. Some categories of vulnerability (CWE) are much more likely to have exploit code published than others. Vendor is a sporadic predictor of exploit publication likelihood. More vendors involved in a CVE-ID does not appear to affect exploit publication. CVSS score, commonness of the CWE, and how recently the CVE-ID was published all slightly increase the exploit publication likelihood; the confidence intervals for the size of these three effects overlap. Of 75,807 vulnerabilities studied, 3,164 had public exploits over the whole six year study; for those with exploits, the median time to publication is two days, though the mean time is 91 days.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {256930,
author = {Allen D. Householder and Jeff Chrabaszcz and Trent Novelly and David Warren and Jonathan M. Spring},
title = {Historical Analysis of Exploit Availability Timelines},
booktitle = {13th {USENIX} Workshop on Cyber Security Experimentation and Test ({CSET} 20)},
year = {2020},
url = {https://www.usenix.org/conference/cset20/presentation/householder},
publisher = {{USENIX} Association},
month = aug,
}

Presentation Video