- The paper introduces adaptive forecasting approaches tailored to sparse, bursty vulnerability sightings, revealing limitations of traditional ARIMA models.
- It systematically evaluates count-based regression models like Poisson and negative binomial, highlighting their strengths and shortcomings with short event series.
- The study proposes parametric event dynamic models, including exponential decay and logistic growth, for improved prediction accuracy across different data regimes.
Modeling Sparse and Bursty Vulnerability Sightings: Forecasting Under Data Constraints
Introduction
The paper "Modeling Sparse and Bursty Vulnerability Sightings: Forecasting Under Data Constraints" (2604.16038) rigorously examines the technical challenges and methodological directions for forecasting temporal patterns in vulnerability “sightings”—such as public exploit availability, detection tool releases, or prominent security discussions—at the granularity of individual CVEs. The work is situated at the intersection of threat intelligence, applied time-series analysis, and vulnerability management, with an explicit focus on the sparsity, burstiness, and operational constraints that distinguish vulnerability sightings from standard event streams.
Forecasting the cadence and volume of vulnerability sightings informs both tactical patching decisions and broader risk prioritization. Unlike aggregate CVE publication rates, which have smoother temporal structures and larger datasets [10.1145/3492328], the sighting counts per CVE are inherently sparse (dominated by zeros) and exhibit bursty, non-stationary dynamics. The incorporation of semantic severity predictors, particularly the VLAI transformer-based model (Bonhomme et al., 4 Jul 2025), enables the integration of contextualized severity estimations as exogenous explanatory variables in the forecasting workflow, a feature underutilized in prior frameworks such as Vuln4Cast and EPSS (Jacobs et al., 2023).
Evaluation of Forecasting Models
The authors systematically evaluate classical and modern statistical models for short-term event forecasting, with an emphasis on operational deployability and interpretability under severe data limitations.
SARIMAX Models
Experiments with ARIMA-family models (SARIMAX, with log-transformations and optional VLAI-based exogenous regressors) demonstrate pronounced limitations in the context of vulnerability sighting time series. Particularly,
- Parameter estimation is unstable with typical training horizons of only 10–30 observations per CVE.
- Negative or implausible predictions persist even after variance stabilization, and confidence intervals are uninformatively broad.
- Inclusion of VLAI as an exogenous regressor yields marginal improvements, but the nearly-stationary nature of severity estimates post-disclosure constrains its informativeness for daily forecasting.
- SARIMAX may be serviceable when applied at higher aggregation levels or over longer, denser data series, but not in the sparse, bursty regime characteristic of individual sightings.
Poisson and Negative Binomial Modeling
Count-based regression models, particularly Poisson regression (and its negative binomial variants for overdispersion), provide essential guarantees for non-negativity and tractable interpretability of event forecasts. The findings indicate:
- Poisson regression yields plausible short-term directional forecasts in sighting-rich CVEs, effectively avoiding negative predictions.
- However, issues including under/over-dispersion and high sensitivity to outliers persist, and parameter fit remains unreliable with extremely short event series.
- Regression approaches are valuable for initial post-disclosure windows but degrade in performance when faced with regime shifts typical of coordinated exploit release or rapid remediation.
Parametric Event Dynamics: Exponential Decay and Logistic Growth
Given the unreliability of traditional time-series and count models under severe data scarcity, the paper investigates parametric event-dynamics models:
- Exponential Decay: Models the fading profile of sighting counts post-peak, yielding robust fits for vulnerabilities transitioning into decreasing activity regimes. The form y(t)=ae−bt+c can be fit with minimal data and provides sensible, bounded forecasts absent strong growth trends.
- Logistic Growth: Appropriate for “burst-and-fade” phenomena, where initial disclosure prompts a transient surge and subsequent plateau in observable activity. Logistic fits are shown to capture early exponential growth and subsequent saturation, outperforming other models during active exploitation phases.
- Adaptive Selection: The model selection based on empirical trend detection (logistic for increasing, exponential decay for decreasing series) constitutes an operationally robust meta-approach, better aligning model choice with the phase of vulnerability attention.
Empirical Findings
Through systematic application to real-world CVEs, the authors document:
- For high-sighting vulnerabilities (e.g., CVE-2025-61932), Poisson and exponential decay models produce comparable predictions post-peak, while logistic fits dominate during initial growth.
- For low-sighting or sudden-drop series, standard Poisson or SARIMAX models overestimate continuation; adaptive regime detection is essential for accurate short-term forecasting.
- On long-lived or heavily observed CVEs (e.g., CVE-2022-26134), logistic growth models maintain performance stability across burst events, underscoring their utility for extended series with complex dynamics.
Practical Implications
The study advocates for pragmatic model selection tailored to data regime:
- Initial modeling should utilize simple event dynamics (exponential decay or logistic growth), rolling averages, or Poisson regression, with adaptive selection mechanisms for changing sighting rates.
- Data quality preprocessing—deduplication, spike detection, and gap filling—is necessary for operationally reliable forecasts.
- Aggregating across heterogeneous intelligence sources increases horizon length, expanding the viable set of statistical models.
- The integration of time-invariant exogenous variables (VLAI, CVSS) offers some uplift, but their static nature post-disclosure limits their role in fine-grained temporal forecasting.
Implications and Future Directions
From both theoretical and practical standpoints, these results indicate:
- The rare-event, burst-dominated nature of vulnerability sightings fundamentally constrains the applicability of ARIMA-type time-series models at the CVE level.
- Parametric dynamic models and count regressions, particularly when adaptively selected, should be default choices for operational sighting forecasting tools.
- Real-time model updating and dynamic integration of variable sighting types (Seen, Confirmed, Exploited) and ongoing severity re-assessment is likely to improve predictive power.
- These methodologies have substantial downstream utility for active vulnerability management, enabling more nuanced and timely alerting and remediation prioritization.
Conclusion
This work establishes a comprehensive methodological baseline for forecasting sparse and bursty vulnerability sighting counts. It demonstrates the consistent failure of classical time-series models under such constraints, endorses parametric and count-based approaches, and advocates for pragmatically adaptive model selection. The implications span operational cyber defense—where timely prioritization under data scarcity is paramount—and motivate future research into multi-source aggregation, real-time adaptive modeling, and the use of richer exogenous covariates for improved prioritization and forecasting performance.