Skip to main content

Modeling Sparse and Bursty Vulnerability Sightings: Forecasting Under Data Constraints

AuthorsCedric Bonhomme & Alexandre Dulaunoy
Year2026
HF Upvotes2
arXiv2604.16038
PDFDownload
HF PageView on Hugging Face

Abstract

Understanding and anticipating vulnerability-related activity is a major challenge in cyber threat intelligence. This work investigates whether vulnerability sightings, such as proof-of-concept releases, detection templates, or online discussions, can be forecast over time. Building on our earlier work on VLAI, a transformer-based model that predicts vulnerability severity from textual descriptions, we examine whether severity scores can improve time-series forecasting as exogenous variables. We evaluate several approaches for short-term forecasting of sightings per vulnerability. First, we test SARIMAX models with and without log(x+1) transformations and VLAI-derived severity inputs. Although these adjustments provide limited improvements, SARIMAX remains poorly suited to sparse, short, and bursty vulnerability data. In practice, forecasts often produce overly wide confidence intervals and sometimes unrealistic negative values. To better capture the discrete and event-driven nature of sightings, we then explore count-based methods such as Poisson regression. Early results show that these models produce more stable and interpretable forecasts, especially when sightings are aggregated weekly. We also discuss simpler operational alternatives, including exponential decay functions for short forecasting horizons, to estimate future activity without requiring long historical series. Overall, this study highlights both the potential and the limitations of forecasting rare and bursty cyber events, and provides practical guidance for integrating predictive analytics into vulnerability intelligence workflows.


Engineering Breakdown

Plain English

This paper investigates whether vulnerability activity (proof-of-concept releases, detection templates, discussions) can be forecasted using time-series models enhanced with AI-derived severity scores. The authors build on VLAI, a transformer model that predicts vulnerability severity from text, and test whether these severity predictions improve SARIMAX forecasting models for predicting sightings per vulnerability. They find that while severity inputs provide some improvement, SARIMAX remains poorly suited to the sparse, bursty nature of vulnerability sighting data—suggesting the need for alternative modeling approaches better adapted to this domain.

Core Technical Contribution

The core contribution is investigating the use of AI-predicted vulnerability severity (from a transformer-based text encoder) as an exogenous variable to improve time-series forecasting of vulnerability-related activity sightings. Rather than treating severity and temporal dynamics separately, the authors explicitly test whether semantic understanding of vulnerability risk (captured by VLAI) can be injected into classical time-series models to improve prediction accuracy. The novelty lies in the cross-modal integration: using a language model's understanding of vulnerability text to inform statistical forecasts of when and how often a vulnerability will be observed in the wild.

How It Works

The pipeline operates in two stages. First, VLAI (a transformer-based model trained on vulnerability descriptions) encodes each vulnerability's textual description and outputs a severity score, which serves as an exogenous feature. Second, these severity scores are fed into SARIMAX (Seasonal AutoRegressive Integrated Moving Average with eXogenous variables) models alongside historical sighting counts. The SARIMAX model learns seasonal patterns, autoregressive dependencies, and differencing rules from the sparse time-series of sightings, while the severity signal provides additional explanatory power. The authors test variants with and without log(x+1) transformations to handle the sparsity of the sighting data. The model outputs probabilistic forecasts of sightings for each vulnerability at future time steps, enabling threat intelligence teams to anticipate when a vulnerability will enter active exploitation phases.

Production Impact

undefined

Limitations and When Not to Use This

The paper acknowledges that SARIMAX is fundamentally poorly suited to sparse, bursty time-series data typical of vulnerability sightings—many vulnerabilities have long dormant periods punctuated by sudden activity surges, violating SARIMAX's assumption of relatively continuous, stationary patterns. The approach requires substantial historical sighting data per vulnerability, making it inapplicable to newly disclosed vulnerabilities or rare threats with minimal observed activity. Severity scores from VLAI may be limited in predictive power if sighting activity is driven primarily by external factors (media attention, exploit availability, patch difficulty) rather than inherent vulnerability severity. The paper does not evaluate alternative deep learning approaches (LSTMs, Transformers, or attention-based sequence models) that might better capture non-linear, bursty dynamics, leaving open the question of whether classical time-series methods are the right tool for this problem.

Research Context

This work extends VLAI (the authors' prior transformer-based vulnerability severity prediction model) from a single-task predictor into a multi-task framework combining semantic understanding with temporal forecasting. It sits at the intersection of NLP (transformer-based text encoding of vulnerability descriptions), classical time-series analysis (SARIMAX), and cyber threat intelligence, addressing a practical gap: while vulnerability databases (NVD, exploit-db) catalog severity and metadata, few systems predict when a vulnerability transitions from theoretical to actively exploited. The research opens directions toward end-to-end deep learning architectures for vulnerability dynamics (e.g., sequence-to-sequence models with transformer encoders and attention-based decoders) and investigation of what additional features beyond severity (CVSS scores, exploit availability, patch status) might improve forecasts.


:::tip Subscribe Get weekly breakdowns of papers like this in AI Letters - the newsletter for engineers building production AI systems. :::


Back to Research Lab → · Subscribe to AI Letters →

© 2026 EngineersOfAI. All rights reserved.