arxiv: 2604.06252 · v1 · submitted 2026-03-30 · 💻 cs.CR

Recognition: 1 theorem link

· Lean Theorem

Policy-Driven Vulnerability Risk Quantification framework for Large-Scale Cloud Infrastructure Data Security

Wanru Shao

Authors on Pith no claims yet

Pith reviewed 2026-05-14 22:21 UTC · model grok-4.3

classification 💻 cs.CR

keywords vulnerability risk assessmentcloud infrastructure securityCVSS metricsCVE analysisrisk quantificationcorrelation analysissecurity prioritization

0 comments

The pith

MVRAF framework quantifies cloud vulnerability risks by weighting CVSS attributes and mapping correlations in CVE records.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes MVRAF to tackle gaps in existing CVE analysis by building a severity model that converts CVSS data into normalized risk scores, a correlation module that detects links among attack factors, and a distribution tool for cumulative risk tracking. It processes 1,314 real CVE entries to flag hotspots and reports that 46.2 percent of network-based vulnerabilities fall into the high-risk category with clear ties between CIA impacts and total severity. Enterprises managing large cloud setups face mounting CVE volume that outpaces manual review, so a quantitative method that supports prioritized fixes addresses a practical bottleneck in data security operations.

Core claim

The MVRAF framework establishes a data-driven method for vulnerability risk assessment by introducing a Vulnerability Severity Quantification Model that applies weighted aggregation to exploitability and CIA impact scores, a Risk Factor Correlation Analysis module that builds matrices for dependencies among vectors, complexity, and privileges, and an Empirical Risk Distribution mechanism for cumulative threat evaluation. Tests on 1,314 CVE records from the National Vulnerability Database show the approach identifies risk hotspots, classifying 46.2 percent of network-based vulnerabilities as high-risk while documenting strong correlations between CIA impacts and overall severity scores.

What carries the argument

MVRAF (Multi-dimensional Vulnerability Risk Assessment Framework) built around a weighted Vulnerability Severity Quantification Model that normalizes CVSS attributes, plus correlation matrices and cumulative distribution analysis.

If this is right

Security teams gain a repeatable way to rank vulnerabilities for remediation in cloud environments.
Correlation results between impact scores and severity can refine how attack attributes are modeled.
Cumulative risk tracking supports decisions on where to allocate limited security resources.
The method scales to process growing CVE volumes that manual approaches cannot handle.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

If the weighted scores prove stable, the model could feed into automated policy engines that adjust cloud access rules in real time.
The correlation patterns might be tested on newer CVE batches to see whether they predict risk shifts over time.
Extending the distribution analysis to include temporal trends could link risk accumulation to specific cloud deployment patterns.

Load-bearing premise

The chosen weights in the severity model and the derived statistical correlations accurately reflect real exploit risk and threat buildup without separate checks against actual exploit outcomes or expert review.

What would settle it

A side-by-side check of the framework's high-risk labels against documented successful exploit rates in public databases; if many high-risk items show low actual exploitation while low-risk items are exploited more often, the quantification would be falsified.

Figures

Figures reproduced from arXiv: 2604.06252 by Wanru Shao.

**Figure 2.** Figure 2: Risk factor correlation analysis: (a) attack vector vs. [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗

read the original abstract

The exponential growth of Common Vulnerabilities and Exposures (CVE) disclosures poses significant challenges for enterprise security management, necessitating automated and quantitative risk assessment methodologies. Existing vulnerability analysis approaches suffer from three critical limitations: (1) lack of systematic severity quantification models that integrate heterogeneous attack attributes, (2) insufficient exploration of latent correlations among risk factors, and (3) absence of cumulative risk distribution analysis for prioritized remediation. To address these challenges, we propose MVRAF (Multi-dimensional Vulnerability Risk Assessment Framework), a comprehensive data-driven framework for large-scale CVE security analysis. Our framework introduces three key innovations: (1) a Vulnerability Severity Quantification Model that transforms CVSS attributes into normalized risk metrics through weighted aggregation of exploitability and CIA impact scores, (2) a Risk Factor Correlation Analysis module that captures statistical dependencies among attack vectors, complexity, and privilege requirements via correlation matrices, and (3) an Empirical Risk Distribution mechanism that enables cumulative threat assessment for resource allocation optimization. Extensive experiments on 1,314 real-world CVE records from the National Vulnerability Database demonstrate that our framework effectively identifies risk hotspots, with 46.2% of network-based vulnerabilities classified as high-risk and strong correlations observed between CIA impacts and overall severity scores.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 3 minor

Summary. The manuscript proposes MVRAF, a Multi-dimensional Vulnerability Risk Assessment Framework for large-scale CVE analysis in cloud infrastructures. It comprises three modules: a Vulnerability Severity Quantification Model that applies weighted aggregation to CVSS exploitability and CIA impact scores to generate normalized risk metrics; a Risk Factor Correlation Analysis module that computes statistical dependencies among attack vectors, complexity, and privilege requirements; and an Empirical Risk Distribution mechanism for cumulative threat assessment. Experiments on 1,314 NVD records report that 46.2% of network-based vulnerabilities are classified as high-risk with strong correlations observed between CIA impacts and overall severity scores.

Significance. If the internal severity scores and correlations were shown to align with independent exploit success rates or KEV listings, the framework could offer a practical quantitative tool for prioritizing remediation in cloud environments. The use of real NVD data provides a reasonable starting point for empirical analysis, but the current absence of external validation limits the work's immediate contribution to the field.

major comments (2)

[Abstract / Vulnerability Severity Quantification Model] Abstract and Vulnerability Severity Quantification Model section: the headline claim that the framework 'effectively identifies risk hotspots' with 46.2% high-risk network vulnerabilities rests on a weighted sum of CVSS attributes whose weights are chosen internally without derivation from first principles, external benchmarks, or validation against actual exploit outcomes; this renders the classification and the reported CIA-severity correlations descriptive of the chosen model rather than evidence of real-world risk alignment.
[Risk Factor Correlation Analysis] Risk Factor Correlation Analysis module: the 'strong correlations' between CIA impacts and severity scores are computed solely from the 1,314-record dataset and the internal weighting scheme; without comparison to independent ground truth (e.g., exploit success rates or expert-labeled data), these statistics do not support the claim that the model captures threat accumulation.

minor comments (3)

[Title / Abstract] The title refers to a 'Policy-Driven' framework, yet the abstract and described modules contain no explicit policy component; clarify whether policy integration is part of the Empirical Risk Distribution mechanism or omitted from the summary.
[Vulnerability Severity Quantification Model] Provide the exact numerical weights used in the severity quantification model, the method for selecting them, and any sensitivity analysis performed.
[Experiments] Clarify the selection criteria and preprocessing steps applied to the 1,314 NVD records to allow reproducibility.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address each major comment below, indicating planned revisions to improve clarity and precision without overstating the framework's alignment with external outcomes.

read point-by-point responses

Referee: [Abstract / Vulnerability Severity Quantification Model] Abstract and Vulnerability Severity Quantification Model section: the headline claim that the framework 'effectively identifies risk hotspots' with 46.2% high-risk network vulnerabilities rests on a weighted sum of CVSS attributes whose weights are chosen internally without derivation from first principles, external benchmarks, or validation against actual exploit outcomes; this renders the classification and the reported CIA-severity correlations descriptive of the chosen model rather than evidence of real-world risk alignment.

Authors: We acknowledge that the weights in the Vulnerability Severity Quantification Model are derived internally from CVSS attribute structures and dataset analysis rather than external benchmarks or exploit outcome data. The 46.2% high-risk classification and CIA-severity correlations are therefore model-specific results on the 1,314 NVD records. In revision, we will update the abstract and model section to explicitly state that these metrics reflect the proposed weighted aggregation applied to CVSS data, and add a dedicated limitations paragraph noting the lack of direct validation against exploit success rates or KEV listings. This will frame the results as quantitative insights from the MVRAF model rather than proven real-world risk alignment. revision: partial
Referee: [Risk Factor Correlation Analysis] Risk Factor Correlation Analysis module: the 'strong correlations' between CIA impacts and severity scores are computed solely from the 1,314-record dataset and the internal weighting scheme; without comparison to independent ground truth (e.g., exploit success rates or expert-labeled data), these statistics do not support the claim that the model captures threat accumulation.

Authors: The reported correlations are computed exclusively from the internal NVD dataset using the MVRAF weighting scheme. We agree this limits claims about capturing broader threat accumulation. In the revised manuscript, we will rephrase the Risk Factor Correlation Analysis section to present these as observed statistical dependencies within the given CVSS records, and add a future-work discussion proposing external validation against independent sources such as exploit databases to better support threat-related interpretations. revision: partial

Circularity Check

1 steps flagged

Correlation between CIA impacts and severity is by construction in weighted model

specific steps

self definitional [Abstract]
"a Vulnerability Severity Quantification Model that transforms CVSS attributes into normalized risk metrics through weighted aggregation of exploitability and CIA impact scores, ... strong correlations observed between CIA impacts and overall severity scores."

Severity is defined as a weighted sum that incorporates CIA impact scores; therefore the reported correlation between CIA impacts and the resulting severity scores is a direct algebraic consequence of the aggregation formula rather than an empirical discovery.

full rationale

The paper defines severity via weighted aggregation that explicitly includes CIA impact scores, then reports 'strong correlations' between CIA impacts and overall severity as a key result from the same 1,314 CVE records. This correlation follows directly from the model's definition rather than providing independent evidence. The 46.2% high-risk classification is likewise an output of the internal weighting choices with no external anchoring shown. This creates partial circularity in the effectiveness claims, though the framework itself may still serve as a descriptive tool. No self-citation chains or uniqueness theorems are invoked in the provided text.

Axiom & Free-Parameter Ledger

1 free parameters · 2 axioms · 0 invented entities

The central claim rests on the assumption that CVSS attributes can be directly transformed into risk via unspecified weights and that observed correlations reflect causal risk factors; no new physical entities are introduced.

free parameters (1)

weights for exploitability and CIA impact scores
Used to aggregate attributes into normalized risk metrics in the Vulnerability Severity Quantification Model; values not specified in abstract.

axioms (2)

domain assumption CVSS base metrics can be linearly combined into a meaningful risk score via fixed or fitted weights
Invoked in the first key innovation without derivation or external justification.
domain assumption Statistical correlations among attack vectors, complexity, and privilege requirements indicate latent risk dependencies
Basis for the Risk Factor Correlation Analysis module.

pith-pipeline@v0.9.0 · 5505 in / 1413 out tokens · 58215 ms · 2026-05-14T22:21:49.298907+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

Vulnerability Severity Quantification Model ... R_b(v_i)=α·ϕ(A_v)+β·ψ(A_c)+γ·ω(P_r) ... S_v(v_i)=min(10,⌈R_b·I_s·κ⌉_δ) ... correlation matrix M_ij=Cov(f_i,f_j)/(σ_i σ_j)

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

14 extracted references · 14 canonical work pages

[1]

Software vulnerability detection using deep neural networks: A survey,

G. Lin, S. Wen, Q.-L. Han, J. Zhang, and Y. Xiang, “Software vulnerability detection using deep neural networks: A survey, ”Proc. IEEE, vol. 108, no. 10, pp. 1825–1848, Oct. 2020, doi: 10.1109/JPROC.2020.2993293

work page doi:10.1109/jproc.2020.2993293 2020
[2]

VulDeeLocator: A deep learning- based fine-grained vulnerability detector,

Z. Li, D. Zou, S. Xu, Z. Chen, Y. Zhu, and H. Jin, “VulDeeLocator: A deep learning- based fine-grained vulnerability detector, ”IEEE Trans. Dependable Secure Comput., vol. 19, no. 4, pp. 2821–2837, Jul./Aug. 2022, doi: 10.1109/TDSC.2021.3076142

work page doi:10.1109/tdsc.2021.3076142 2022
[3]

Analysis of CVSS vulnerability base scores in the context of exploits’ availability,

A. Balsam, M. Nowak, M. Walkowski, J. Oko, and S. Sujecki, “Analysis of CVSS vulnerability base scores in the context of exploits’ availability, ” inProc. 23rd Int. Conf. Transparent Optical Networks (ICTON), Bucharest, Romania, 2023, pp. 1–4, doi: 10.1109/ICTON59386.2023.10207394

work page doi:10.1109/icton59386.2023.10207394 2023
[4]

CVE records of known exploited vulnerabilities,

J. Limet al., “CVE records of known exploited vulnerabilities, ” inProc. 8th Int. Conf. Computer and Communication Systems (ICCCS), Guangzhou, China, 2023, pp. 738–743, doi: 10.1109/ICCCS57501.2023.10150856

work page doi:10.1109/icccs57501.2023.10150856 2023
[5]

Unleashing the full potential of artificial intelligence and machine learning in cybersecurity vulnerability management,

M. Elbes, S. Hendawi, S. AlZu’bi, T. Kanan, and A. Mughaid, “Unleashing the full potential of artificial intelligence and machine learning in cybersecurity vulnerability management, ” inProc. Int. Conf. Information Technology (ICIT), Amman, Jordan, 2023, pp. 276–283, doi: 10.1109/ICIT58056.2023.10225910

work page doi:10.1109/icit58056.2023.10225910 2023
[6]

A study of CVSS v4.0: A CVE scoring system,

M. Aggarwal, “A study of CVSS v4.0: A CVE scoring system, ” inProc. 6th Int. Conf. Contemporary Computing and Informatics (IC3I), Gautam Buddha Nagar, India, 2023, pp. 1180–1186, doi: 10.1109/IC3I59117.2023.10397701

work page doi:10.1109/ic3i59117.2023.10397701 2023
[7]

Comprehensive comparison between versions CVSS v2.0, CVSS v3.x and CVSS v4.0 as vulner- ability severity measures,

A. Balsam, M. Nowak, M. Walkowski, J. Oko, and S. Sujecki, “Comprehensive comparison between versions CVSS v2.0, CVSS v3.x and CVSS v4.0 as vulner- ability severity measures, ” inProc. 24th Int. Conf. Transparent Optical Networks (ICTON), Bari, Italy, 2024, pp. 1–4, doi: 10.1109/ICTON62926.2024.10647452

work page doi:10.1109/icton62926.2024.10647452 2024
[8]

A comprehensive survey: Evaluating the efficiency of ar- tificial intelligence and machine learning techniques on cyber security solutions,

M. Ozkan-Okayet al., “A comprehensive survey: Evaluating the efficiency of ar- tificial intelligence and machine learning techniques on cyber security solutions, ” IEEE Access, vol. 12, pp. 12229–12256, 2024, doi: 10.1109/ACCESS.2024.3355547. CSAIDE 2026, March 13–15, 2026, Salamanca, Spain Wanru Shao

work page doi:10.1109/access.2024.3355547 2024
[9]

Hybrid machine learning approach for enhanced vulnerability detection in cloud environments using NIST and MITRE frameworks,

N. W. C. Lasantha, M. W. P. Maduranga, R. Abeysekara, V. Tilwari, N. Chakraborty, and D. Sharma, “Hybrid machine learning approach for enhanced vulnerability detection in cloud environments using NIST and MITRE frameworks, ” inProc. 5th Int. Conf. Advanced Research in Computing (ICARC), Belihuloya, Sri Lanka, 2025, pp. 1–6, doi: 10.1109/ICARC64760.2025.10962945

work page doi:10.1109/icarc64760.2025.10962945 2025
[10]

Machine learning in cybersecurity: A comprehen- sive review of threat detection, prevention, and response strategies,

T. Desai and R. Kumar Pal, “Machine learning in cybersecurity: A comprehen- sive review of threat detection, prevention, and response strategies, ” inProc. 4th Int. Conf. Computational Modelling, Simulation and Optimization (ICCMSO), Singapore, 2025, pp. 148–153, doi: 10.1109/ICCMSO67468.2025.00035

work page doi:10.1109/iccmso67468.2025.00035 2025
[11]

Evaluation of performance, energy, and computation costs of quantum-attack resilient encryption algorithms for embedded de- vices,

W. Khan, K. Ashoka, M. S. Abdul Razak, M. V. Manoj Kumar, and R. Naseer, “A comprehensive survey on cognitive cyber security analysis using machine learn- ing approaches, ”IEEE Access, vol. 13, pp. 169314–169326, 2025, doi: 10.1109/AC- CESS.2025.3614388

work page doi:10.1109/ac- 2025
[12]

A detailed study of vulnerability detection using common vulnerabilities and exposures from NVD using machine learning and deep learning models,

P. Kaur, K. R. Ramkumar, and A. Kaur, “A detailed study of vulnerability detection using common vulnerabilities and exposures from NVD using machine learning and deep learning models, ” inProc. 3rd Int. Conf. Communication, Security, and Artificial Intelligence (ICCSAI), Greater Noida, India, 2025, pp. 1979–1982, doi: 10.1109/ICCSAI64074.2025.11064008

work page doi:10.1109/iccsai64074.2025.11064008 2025
[13]

Toward dynamic risk assess- ment: Machine learning and LLMs in software vulnerability prioritization,

M. Moustaid, S. Hamida, A. Daaif, and B. Cherradi, “Toward dynamic risk assess- ment: Machine learning and LLMs in software vulnerability prioritization, ” in Proc. 12th Int. Conf. Wireless Networks and Mobile Communications (WINCOM), Riyadh, Saudi Arabia, 2025, pp. 1–6, doi: 10.1109/WINCOM65874.2025.11313442

work page doi:10.1109/wincom65874.2025.11313442 2025
[14]

A product-oriented assessment of vulnerability sever- ity through NVD CVSS scores,

L. Mirandaet al., “A product-oriented assessment of vulnerability sever- ity through NVD CVSS scores, ” inProc. Int. Conf. Computing, Networking and Communications (ICNC), Honolulu, HI, USA, 2025, pp. 238–242, doi: 10.1109/ICNC64010.2025.10994117

work page doi:10.1109/icnc64010.2025.10994117 2025