Papers
Topics
Authors
Recent
Search
2000 character limit reached

Organizational Security Resource Estimation via Vulnerability Queueing

Published 11 Apr 2026 in cs.CR, cs.SE, and eess.SP | (2604.10250v1)

Abstract: We provide an approach that closely estimates an organization's cyber resources directly from vulnerability timestamps, using a non-stationary queueing framework. Traditional attack-surface metrics operate on static snapshots, ignoring the core attack-defense dynamics within information systems, which exhibit bursty, heavy-tailed, and capacity-constrained behavior. Our approach to modeling such dynamics is based on a queueing abstraction of attack surfaces. We utilize a segmentation method to identify piecewise-stationary regimes via Gaussian mixture modeling (GMM) of queue length distributions. We fit segment-specific arrival, service, and resource parameters through the minimization of Kullback--Leibler divergence (KL) between the empirical and estimated distributions. Applied to both large-scale software supply chain data and multi-year private logistics enterprise cyber-ticket workflows, the model estimates organizational resources, measured in the time-varying active personnel and output rate per personnel, solely from bug report and fix timings for software supply chains, and discovery and patch timestamps in the enterprise setting. Our results provide 91--96\% accuracy in resource estimation, making the dynamic queueing framework a compelling approach for understanding attack surface dynamics. Further, our framework exposes resource bottlenecks, establishing a foundation for predictive workforce planning, patch-race modeling, and proactive cyber-risk management.

Summary

  • The paper introduces a novel framework mapping vulnerability events to a G/G/m-b queue, enabling inverse estimation of resource capacity via KL divergence minimization.
  • It employs Gaussian Mixture Model segmentation to capture non-stationary, heavy-tailed attack dynamics, reconstructing time-varying workforce parameters.
  • Validation on OSS and enterprise datasets shows accurate resource estimates, aligning workforce and throughput within 4-9% of independent administrative reports.

Queueing-Theoretic Estimation of Cybersecurity Resources from Vulnerability Dynamics

Introduction and Motivation

The paper "Organizational Security Resource Estimation via Vulnerability Queueing" (2604.10250) introduces a quantitative framework to infer an organization's cybersecurity resource allocation directly from vulnerability management timelines, using non-stationary queueing theory. In contrast to snapshot-based attack surface metrics, this approach models the temporal evolution and heavy-tailed, regime-shifting nature of vulnerability discovery and remediation. The central insight is the mapping of vulnerability events to a G/G/m−bG/G/m{-}b queue, where backlog evolution reflects both threat exposure and defender resource dynamics. By solving an inverse identification problem via Kullback–Leibler divergence minimization between empirical and simulated queue-length distributions (QLDs), the method estimates effective workforce size and throughput with high fidelity, using only event log timestamps.

Queueing Framework for Attack Surface Dynamics

The attack surface is conceptualized as a discrete-time, capacity-constrained queue where vulnerabilities arrive and are serviced (i.e., patched or mitigated), subject to bounded defensive resources. The number of active unaddressed vulnerabilities at time tt (N(t)N(t)) evolves as:

N(t+1)=[N(t)+V(t)−Nd(t)]+N(t+1) = \left[N(t) + V(t) - N_d(t)\right]^+

where V(t)V(t) is the number of new vulnerabilities and Nd(t)N_d(t) the number of departures via defense (patching, mitigation, etc.). The G/G/m−bG/G/m{-}b abstraction denotes general interarrival (IA) and service time (ST) distributions, mm parallel servers (defenders/staff), and an overall throughput constraint bb (jobs/time) (Figure 1). Figure 1

Figure 1: Queueing representation of the attack surface, with arrival and service dictated by non-stationary processes and finite resource capacity.

Unlike classic queueing analyses, the central focus here is the inverse problem: using observed vulnerability discovery and mitigation timestamps to reconstruct the time-varying vector of latent resource parameters, namely the effective workforce (mm) and aggregate throughput (tt0).

Segmented Modeling of Non-Stationary Queues

Given that real-world vulnerability data is heterogeneous, bursty, and subject to regime shifts, the paper introduces a segmentation approach that fits a Gaussian Mixture Model (GMM) to the empirical QLD, extracting quasi-stationary intervals with distinct queueing parameters. The methodology proceeds in four principal stages:

  1. Trajectory Reconstruction: Build the empirical queue-length trajectory tt1 from event timestamps.
  2. GMM Segmentation: Fit a univariate GMM to the QLD, identifying mixture components that correspond to distinct operational regimes (Figure 2).
  3. Parameter Inference per Segment: For each segment, simulate tt2 queueing models with varying tt3 and minimize KL divergence to the empirical QLD, thereby recovering segment-specific parameters.
  4. Distributional Validation: Compare the segmented, parametric model (and a bootstrap estimate) to the empirical and GMM-based QLDs to verify fidelity. Figure 2

Figure 2

Figure 2

Figure 2: Queue-length evolution with segmentation cut points denoting quasi-stationary periods in the vulnerability workflow.

This segmentation enables fine-grained recovery of time-varying resource allocation, aligning queueing model outputs with observed operational shifts and directly uncovering bottlenecks or under-resourced periods.

Data Validation: Software Supply Chain and Enterprise Environments

Two large-scale empirical datasets were used for validation:

  • ARVO (Open Source Software Supply Chain): Timestamps on vulnerability discovery and patching events from OSS-Fuzz-driven C/C++ projects.
  • Enterprise IT Ticketing System: Multi-year organizational vulnerability ticket logs, including open/discovery/closure timestamps and administrative metadata.

Both exhibit considerable non-stationarity in IA and ST, as confirmed by moving-average analysis and multi-modal QLDs (Figure 3). Figure 3

Figure 3

Figure 3: Moving-average interarrival (IA) and service times (ST) for ARVO, illustrating temporal non-stationarity.

Segmentation on ARVO typically resulted in 10 quasi-stationary regimes, each with unique heavy-tailed IA and ST distributions (Figure 4), while the enterprise dataset, with more regulated workflow, settled on three regimes. Log-logistic, generalized Pareto, and mixture models were particularly effective in capturing the IA and ST tails (Figure 5). Figure 4

Figure 4

Figure 4

Figure 4: Best-fitting IA and ST models (log-logistic, generalized Pareto, etc.) for a quasi-stationary ARVO segment, reflecting heavy-tailed dynamics.

Figure 5

Figure 5

Figure 5

Figure 5

Figure 5: IA fits for Component 1 highlight the heavy-tailed nature of vulnerability arrivals in the ARVO dataset.

Quantitative Performance and Accuracy

The segmentation-based queue model achieves exceptionally strong alignment between simulated, empirical, and GMM-modeled QLDs across datasets. In ARVO, a KL divergence of 0.1074 between the segmented tt4 model and empirical QLDs was achieved—on par with nonparametric bootstrapping and closely trailing perfect GMM fits.

For the logistics enterprise, the model's estimates of workforce (tt5) and aggregate capacity (tt6) align within 4–5% for tt7 and within 9% for tt8, when matched against independently observed administrative reports. This agreement demonstrates the approach's utility in practical, high-volume operational environments, without the need for privileged access to organizational staffing records.

Implications and Future Prospects

Practical Implications:

This approach equips organizations with the ability to diagnose and forecast cybersecurity workforce needs, identify latent resource bottlenecks, and optimize defensive postures in response to changing attack rates or process changes, exclusively from event log data. The model naturally extends to settings where staff, automation, or patch throughput is highly dynamic.

Theoretical Advances:

The work advances the state-of-the-art in cyber risk modeling by integrating capacity-limited queueing with data-driven segmentation, directly linking event-level traces to actionable resource metrics. It challenges the adequacy of snapshot or stationary risk metrics and highlights the necessity of models that internalize heavy-tailed, bursty, and non-stationary behaviors in modern cyber-physical infrastructures.

Prospective Developments:

The authors outline several extensions, including: integrating real-time staffing recommendations, modeling attacker exploitation as an additional queueing process, and scaling to unified models that incorporate AI-driven defenders and attack automation. These directions are essential, as automated adversaries, increased workflow coupling, and AI-amplified threat vectors continue to erode classical assumptions of stationarity and capacity sufficiency in large security ecosystems.

Conclusion

This paper establishes a data-driven, non-stationary queueing-theoretic approach for modeling and reconstructing organizational security resources by capturing the granular temporal dynamics of vulnerability backlogs. By segmenting empirical queue-length trajectories and fitting segment-specific queueing models, precise, actionable estimates of workforce size and throughput are obtained, with validation in both software supply chain and enterprise IT environments. The approach not only achieves high prediction accuracy but also establishes a foundation for resource-aware cyber risk management in a landscape defined by volatility, automation, and adversarial adaptation.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.