search

Deploying-Securely / DSRAM

Apache License 2.0
16 stars 3 forks source link

epss_365 day calculation #8

Open rajkrishnamurthy opened 2 years ago

rajkrishnamurthy commented 2 years ago

Hi @Walter-Haydock: Great job on the DSRAM model and the notebook. Couple of questions:

  1. Can you please explain the math that you used for the exploitation curve factor? risk_of_exploitation = .05 ^ (.0125 * CVE age in days)
  2. Based on your comments on the mandiant research, wouldn't this be a discrete probability of 33.33% between 1 and 7 days (i.e, a week), 22.22% between 8 and 30 days (assuming 30 days per month) and 14.82% for > 30 days. How are you able to derive a continuous probability based on this assumption? Can you please explain how you are computing the probability across 12 months to extrapolate the 30 day epss probability to 365 days? (lines 106-118 in likelihood.py)?
  3. How do you calculate the likelihood of occurrence of an exploit from the epss_30_day probability?
Walter-Haydock commented 2 years ago

@rajkrishnamurthy - thanks for the questions.

  1. The basis for this is extremely rough. I basically played around with a graphic calculator to come up with an equation that matches Mandiant's findings, and then added that equation to the model. I am absolutely open to a better/more precise approach.
  2. I agree that the Mandiant research has multiple buckets, but my assumption is that the probability of exploitation decreases over time in a non-linear fashion (described by the equation I mapped above). That is how I derived a continuous probability.
  3. The epss_365_day probability uses the equation above to derive the probability of exploitation for each month of a one year (12 month) period. I then used the equation from this post (https://math.stackexchange.com/questions/490859/calculating-probabilities-over-longer-period-of-time) to determine the the total probability in a one year period.
rajkrishnamurthy commented 2 years ago

Thanks @Walter-Haydock. I read the stackexchange link but did not understand because I believe that this follows a discrete probability model. Are you open if I create a PR with changes. I will document my changes as well.

Walter-Haydock commented 2 years ago

Please do! I would greatly appreciate your input, and by no means have cornered the market on statistical knowledge.

On Aug 22, 2022, at 6:09 PM, Raj Krishnamurthy @.***> wrote:

Thanks @Walter-Haydock https://github.com/Walter-Haydock. I read the stackexchange link but did not understand because I believe that this follows a discrete probability model. Are you open if I create a PR with changes. I will document my changes as well.

— Reply to this email directly, view it on GitHub https://github.com/Deploying-Securely/DSRAM/issues/8#issuecomment-1223200345, or unsubscribe https://github.com/notifications/unsubscribe-auth/AJ6TOBQMFDPQEPCLS4IV32TV2P3CVANCNFSM57CM2MIQ. You are receiving this because you were mentioned.