You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
<h2id="why-lev-matters">Why LEV Matters<aclass="headerlink" href="#why-lev-matters" title="Permanent link">¶</a></h2>
2007
2007
<divclass="admonition tip">
2008
-
<pclass="admonition-title"><strong>KEY INSIGHT: The Three-Dimensional View of Vulnerability <abbrtitle="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr></strong></p>
2009
-
<p>LEV fills a critical gap by looking backward in time, complementing forward-looking and current exploitation data:</p>
2008
+
<pclass="admonition-title"><strong>KEY INSIGHT: LEV gives an additional View of Vulnerability <abbrtitle="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr></strong></p>
2009
+
<p>LEV fills a gap by looking backward in time, complementing forward-looking and current exploitation data:</p>
2010
2010
<table>
2011
2011
<thead>
2012
2012
<tr>
@@ -2172,7 +2172,10 @@ <h3 id="misunderstanding-of-epss">Misunderstanding of <abbr title="Exploit Predi
<pclass="admonition-title"><strong>Invalid Probability Division</strong></p>
2175
-
<p>The "Small Probability" approximation is not valid for higher <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> scores (the scores of interest).</p>
2175
+
<p>The "Small Probability" approximation is not valid for higher <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> scores (the scores of interest), and is not necessary if the computation is optimized per the <ahref="https://github.com/RiskBasedPrioritization/LEV/">Source Code</a> provided here.</p>
2176
+
<ul>
2177
+
<li>Rigorous vs NIST approximation time ratio: 2.23x</li>
2178
+
</ul>
2176
2179
</div>
2177
2180
<p>LEV handles <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> scores as covering only a single day by dividing them by 30: <spanclass="arithmatex">\(P_1 \approx P_{30}/30\)</span></p>
2178
2181
<p>Dividing a 30-day probability by 30 to get a 1-day probability generally <strong>does not make sense</strong> in a rigorous probabilistic context.</p>
<p>Using standard concurrent processing per the source code, the approximation is not required on a standard computer.</p>
2208
+
<p>The code to calculate LEV (both approximation and rigorous), and the composite probability (both approximation and rigorous) completes in less than 30 minutes on a standard computer. </p>
2205
2209
<ul>
2206
-
<li>the code completes in minutes </li>
2210
+
<li>The approximation calculations are not required but in the code for comparison.</li>
2211
+
<li>See example log file: <ahref="https://github.com/RiskBasedPrioritization/LEV/blob/main/logs/20250531_180156.log">https://github.com/RiskBasedPrioritization/LEV/blob/main/logs/20250531_180156.log</a></li>
2207
2212
</ul>
2213
+
<p>Calculations for new days (new runs) can be very fast if the code is optimized to use existing calculations from previous runs (it isn't currently).</p>
<p>The <strong>Independent Events Assumption</strong> is not valid because:</p>
2223
2229
<ul>
2224
-
<li>The <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> data shows that signature detections do have patterns and are not entirely independent events. See <ahref="https://www.cyentia.com/epss-study/">detailed analysis of exploitation patterns over time</a></li>
2230
+
<li>The <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> data shows that signature detections do have patterns and are not entirely independent events. See <ahref="https://www.cyentia.com/epss-study/">detailed analysis of exploitation patterns over time</a>.</li>
2225
2231
<li>Attacks driven by people have patterns e.g., a persistent threat, periodic probing of targets</li>
<pclass="admonition-title"><strong>Rationale is lacking for <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> Scores as Lower Bounds</strong></p>
2230
2236
<p>"While <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> scores assume that a vulnerability has not been observed to be exploited in the past".</p>
2231
-
<p>The <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> model or score is not making this assumption.</p>
2232
-
<p>This is not the same as the <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> model not using past exploitation data directly to feed the model.</p>
2237
+
<ul>
2238
+
<li>The <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> model or score is not making this assumption.</li>
2239
+
<li>This is not the same as the <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> model not using past exploitation data directly to feed the model.</li>
2240
+
</ul>
2241
+
<p>The "<abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> Scores as Lower Bounds" rationale from the NIST CSWP 41 paper basically says:
2242
+
"If the <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> IDS data sees an actual attack attempt (so true positive in the validation data), the <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> score is not set to 1 for that day. So the <abbrtitle="Exploit Prediction Scoring System">EPSS</abbr> score on that day is an under-estimate."</p>
<h2 id="epss-lev-why-lev-matters">Why LEV Matters<a class="headerlink" href="#epss-lev-why-lev-matters" title="Permanent link">¶</a></h2>
4610
4610
<div class="admonition tip">
4611
-
<p class="admonition-title"><strong>KEY INSIGHT: The Three-Dimensional View of Vulnerability <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr></strong></p>
4612
-
<p>LEV fills a critical gap by looking backward in time, complementing forward-looking and current exploitation data:</p>
4611
+
<p class="admonition-title"><strong>KEY INSIGHT: LEV gives an additional View of Vulnerability <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr></strong></p>
4612
+
<p>LEV fills a gap by looking backward in time, complementing forward-looking and current exploitation data:</p>
4613
4613
<table>
4614
4614
<thead>
4615
4615
<tr>
@@ -4775,7 +4775,10 @@ <h3 id="epss-lev-misunderstanding-of-epss">Misunderstanding of <abbr title="Expl
<p class="admonition-title"><strong>Invalid Probability Division</strong></p>
4778
-
<p>The "Small Probability" approximation is not valid for higher <abbr title="Exploit Prediction Scoring System">EPSS</abbr> scores (the scores of interest).</p>
4778
+
<p>The "Small Probability" approximation is not valid for higher <abbr title="Exploit Prediction Scoring System">EPSS</abbr> scores (the scores of interest), and is not necessary if the computation is optimized per the <a href="https://github.com/RiskBasedPrioritization/LEV/">Source Code</a> provided here.</p>
4779
+
<ul>
4780
+
<li>Rigorous vs NIST approximation time ratio: 2.23x</li>
4781
+
</ul>
4779
4782
</div>
4780
4783
<p>LEV handles <abbr title="Exploit Prediction Scoring System">EPSS</abbr> scores as covering only a single day by dividing them by 30: <span class="arithmatex">\(P_1 \approx P_{30}/30\)</span></p>
4781
4784
<p>Dividing a 30-day probability by 30 to get a 1-day probability generally <strong>does not make sense</strong> in a rigorous probabilistic context.</p>
@@ -4805,9 +4808,12 @@ <h3 id="epss-lev-lev2-approximation">LEV2 Approximation<a class="headerlink" hre
4805
4808
<div class="admonition tip">
4806
4809
<p class="admonition-title">Tip</p>
4807
4810
<p>Using standard concurrent processing per the source code, the approximation is not required on a standard computer.</p>
4811
+
<p>The code to calculate LEV (both approximation and rigorous), and the composite probability (both approximation and rigorous) completes in less than 30 minutes on a standard computer. </p>
4808
4812
<ul>
4809
-
<li>the code completes in minutes </li>
4813
+
<li>The approximation calculations are not required but in the code for comparison.</li>
4814
+
<li>See example log file: <a href="https://github.com/RiskBasedPrioritization/LEV/blob/main/logs/20250531_180156.log">https://github.com/RiskBasedPrioritization/LEV/blob/main/logs/20250531_180156.log</a></li>
4810
4815
</ul>
4816
+
<p>Calculations for new days (new runs) can be very fast if the code is optimized to use existing calculations from previous runs (it isn't currently).</p>
<p>The <strong>Independent Events Assumption</strong> is not valid because:</p>
4826
4832
<ul>
4827
-
<li>The <abbr title="Exploit Prediction Scoring System">EPSS</abbr> data shows that signature detections do have patterns and are not entirely independent events. See <a href="https://www.cyentia.com/epss-study/">detailed analysis of exploitation patterns over time</a></li>
4833
+
<li>The <abbr title="Exploit Prediction Scoring System">EPSS</abbr> data shows that signature detections do have patterns and are not entirely independent events. See <a href="https://www.cyentia.com/epss-study/">detailed analysis of exploitation patterns over time</a>.</li>
4828
4834
<li>Attacks driven by people have patterns e.g., a persistent threat, periodic probing of targets</li>
<p class="admonition-title"><strong>Rationale is lacking for <abbr title="Exploit Prediction Scoring System">EPSS</abbr> Scores as Lower Bounds</strong></p>
4833
4839
<p>"While <abbr title="Exploit Prediction Scoring System">EPSS</abbr> scores assume that a vulnerability has not been observed to be exploited in the past".</p>
4834
-
<p>The <abbr title="Exploit Prediction Scoring System">EPSS</abbr> model or score is not making this assumption.</p>
4835
-
<p>This is not the same as the <abbr title="Exploit Prediction Scoring System">EPSS</abbr> model not using past exploitation data directly to feed the model.</p>
4840
+
<ul>
4841
+
<li>The <abbr title="Exploit Prediction Scoring System">EPSS</abbr> model or score is not making this assumption.</li>
4842
+
<li>This is not the same as the <abbr title="Exploit Prediction Scoring System">EPSS</abbr> model not using past exploitation data directly to feed the model.</li>
4843
+
</ul>
4844
+
<p>The "<abbr title="Exploit Prediction Scoring System">EPSS</abbr> Scores as Lower Bounds" rationale from the NIST CSWP 41 paper basically says:
4845
+
"If the <abbr title="Exploit Prediction Scoring System">EPSS</abbr> IDS data sees an actual attack attempt (so true positive in the validation data), the <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score is not set to 1 for that day. So the <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score on that day is an under-estimate."</p>
0 commit comments