ABSTRACT
Security metrics and vulnerability prediction for software have gained a lot of interests from the community. Many software security metrics have been proposed e.g., complexity metrics, cohesion and coupling metrics. In this paper, we propose a novel code metric based on dependency graphs to predict vulnerable components. To validate the efficiency of the proposed metric, we conduct a prediction model which targets the JavaScript Engine of Firefox. In this experiment, our prediction model has obtained a very good result in term of accuracy and recall rates. This empirical result is a good evidence showing dependency graphs are also a good option for early indicating vulnerability.
- }}R. Anderson. Why information security is hard - an economic perspective. In Proc. of ACSAC'01, 2001. Google ScholarDigital Library
- }}C. Catal and B. Diri. A systematic review of software fault prediction studies. Expert Sys. with App., 36(4):7346--7354, 2009. Google ScholarDigital Library
- }}I. Chowdhury and M. Zulkernine. Using complexity, coupling, and cohesion metrics as early predictors of vul. J. of Soft. Arch., 2010. Google ScholarDigital Library
- }}J. Cohen. Statistical Power Analysis for the Behavioral Sciences, 2nd ed. Hillsdale, NJ: Lawrence Erlbaum Associates, 1988.Google Scholar
- }}M. Gegick. Failure-prone components are also attack-prone components. In Proc. of the 23rd ACM SIGPLAN Conf. on Object-Oriented Prog., Sys., Lang., and Applications (OOPSLA'08), pages 917--918. ACM Press, 2008. Google ScholarDigital Library
- }}M. Gegick and L. Williams. Ranking attack-prone components with a predictive model. In Proc. of ISSRE'08, pages 315--316, 2008. Google ScholarDigital Library
- }}M. Gegick, L. Williams, J. Osborne, and M. Vouk. Prioritizing software security fortification throughcode-level metrics. In Proc. of QoP'08, pages 31--38. ACM, 2008. Google ScholarDigital Library
- }}Y. Jiang, B. Cuki, T. Menzies, and N. Bartlow. Comparing design and code metrics for software quality prediction. In Proc. of PROMISE'08, pages 11--18. ACM, 2008. Google ScholarDigital Library
- }}F. Massacci and V. H. Nguyen. Which is the right source for vulnerabilities studies? an empirical analysis on mozilla firefox. In Proc. of MetriSec'10, 2010. Google ScholarDigital Library
- }}T. Menzies, J. Greenwald, and A. Frank. Data mining static code attributes to learn defect predictors. TSE, 33(9):2--13, 2007. Google ScholarDigital Library
- }}N. Nagappan and T. Ball. Use of relative code churn measures to predict system defect density. In Proc. of ICSE'05, pages 284--292, 2005. Google ScholarDigital Library
- }}S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller. Predicting vulnerable software components. In Proc. of CCS'07, pages 529--540, October 2007. Google ScholarDigital Library
- }}H. M. Olague, S. Gholston, and S. Quattlebaum. Empirical validation of three software metrics suites to predict fault-proneness of object-oriented classes developed using highly iterative or agile software development processes. TSE, 33(6):402--419, 2007. Google ScholarDigital Library
- }}T. J. Ostrand and E. J. Weyuker. How to measure success of fault prediction models. In SOQUA '07: Fourth international workshop on Software quality assurance, pages 25--30, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- }}A. Ozment. Vulnerability Discovery and Software Security. PhD thesis, University of Cambridge. Cambridge, UK, 2007.Google Scholar
- }}Y. Shin. Exploring complexity metrics as indicators of software vulnerability. In Proc. of the Int. Doctoral Symp. on Empirical Soft. Eng. (IDoESE'08).Google Scholar
- }}Y. Shin and L. Williams. An empirical model to predict security vulnerabilities using code complexity metrics. In Proc. of ESEM'08, 2008. Google ScholarDigital Library
- }}Y. Shin and L. Williams. Is complexity really the enemy of software security? In Proc. of QoP'08, pages 47--50, 2008. Google ScholarDigital Library
- }}Wessa. P. (2010), Free Statistics Software, Office for Research Development and Education, version 1.1.23-r6. http://www.wessa.net/.Google Scholar
- }}H. Zhang and X. Zhang. Comments on data mining static code attributes to learn defect predictors. TSE, 33(9):635--637, 2007. Google ScholarDigital Library
- }}H. Zhang, X. Zhang, and M. Gu. Predicting defective software components from code complexity measures. In Procc. of PRDC'07, pages 93--96, 2007. Google ScholarDigital Library
- }}T. Zimmermann and N. Nagappan. Predicting defects with program dependencies. In Proc. of ESEM'09, 2009. Google ScholarDigital Library
- }}T. Zimmermann, R. Premraj, and A. Zeller. Predicting defects for eclipse. In Proc. of PROMISE'07, page 9. IEEE Computer Society, 2007. Google ScholarDigital Library
- }}T. Zimmermann and P. WeiSSgerber. Preprocessing cvs data for fine-grained analysis. In Proc. of the 1st Int. Working Conf. on Mining Soft. Repo. MSR('04), pages 2--6, May 2004.Google ScholarCross Ref
Index Terms
- Predicting vulnerable software components with dependency graphs
Recommendations
Predicting vulnerable software components
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityWhere do most vulnerabilities occur in software? Our Vulture tool automatically mines existing vulnerability databases and version archives to map past vulnerabilities to components. The resulting ranking of the most vulnerable components is a perfect ...
Predicting Vulnerable Components via Text Mining or Software Metrics? An Effort-Aware Perspective
QRS '15: Proceedings of the 2015 IEEE International Conference on Software Quality, Reliability and SecurityIn order to identify vulnerable software components, developers can take software metrics as predictors or use text mining techniques to build vulnerability prediction models. A recent study reported that text mining based models have higher recall than ...
Predicting software field reliability
SER&IP '15: Proceedings of the Second International Workshop on Software Engineering Research and Industrial PracticeThe objective of the work described is to accurately predict, as early as possible in the software lifecycle, how reliably a new software release will behave in the field. The initiative is based on a set of innovative mathematical models that have ...
Comments