"Which Security Bugs Will Be Exploited? Researchers Create an ML Model to Find Out"
The University of Maryland at College Park and Arizona State University researchers are attempting to give companies additional information on which vulnerabilities could be or are likely to be exploited. Using machine learning trained on data from more than two dozen sources, the researchers have created a model for predicting which vulnerabilities will likely result in a functional exploit, a potentially valuable tool that could help companies better decide which software flaws to prioritize. The model, called Expected Exploitability, can catch 60% of the vulnerabilities that will have functional exploits, with a prediction accuracy of 86%. The researchers stated that a key to the research is to allow for changes in certain metrics over time because not all relevant information is available at the time a vulnerability is disclosed, and using later events allowed the researchers to hone the prediction's accuracy. The researchers stated that by improving the predictability of exploitation, companies can reduce the number of vulnerabilities that are deemed critical for patching, but the metric has other uses as well. The researchers noted that exploitability prediction is not just relevant to companies that want to prioritize patching but also to insurance companies that are trying to calculate risk levels and to developers because this is maybe a step toward understanding what makes a vulnerability exploitable.