Aram Hovsepyan
James Walden
ABSTRACT
Early identification of software vulnerabilities is essential in software engineering and can help reduce not only costs, but also prevent loss of reputation and damaging litigations for a software firm. Techniques and tools for software vulnerability prediction are thus invaluable. Most of the existing techniques rely on using component characteristic(s) (like code complexity, code churn) for the vulnerability prediction. In this position paper, we present a novel approach for vulnerability prediction that leverages on the analysis of raw source code as text, instead of using "cooked" features. Our initial results seem to be very promising as the prediction model achieves an average accuracy of 0.87, precision of 0.85 and recall of 0.88 on 18 versions of a large mobile application.
- Android rises, symbian and windows phone 7 launch as worldwide smartphone shipments increase 87.2% year over year, according to idc (2011), http://www.idc.com/Google Scholar
- Austin, A., Williams, L.: One technique is not enough: A comparison of vulnerability discovery techniques. In: ESEM. pp. 97--106 (2011) Google ScholarDigital Library
- Fortify: Fortify. https://www.fortify.com/ (2011)Google Scholar
- Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (October 2007) Google ScholarDigital Library
- Shin, Y., Meneely, A., Williams, L., Osborne, J.A.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans. Software Eng. 37(6), 772--787 (2011) Google ScholarDigital Library
- Walden, J., Doyle, M.: Savi: Static analysis vulnerability indicator. IEEE Security and Privacy (to appear) (2012) Google ScholarDigital Library
- Zeman, E.: Android, ios crush blackberry market share (2011), http://www.informationweek.comGoogle Scholar
- Zimmermann, T., Nagappan, N., Williams, L.: Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista. In: Proceedings of the 3rd International Conference on Software Testing, Verification and Validation (April 2010) Google ScholarDigital Library
Index Terms
- Software vulnerability prediction using text analysis techniques
Recommendations
Software vulnerability prediction: A systematic mapping study
Abstract Context:Software security is considered a major aspect of software quality as the number of discovered vulnerabilities in software products is growing. Vulnerability prediction is a mechanism that helps engineers to prioritize their inspection ...
Highlights- Vulnerability prediction identifies vulnerable software components.
- A systematic mapping study describes the software vulnerability prediction domain.
- Most datasets consist of real-world software from reports in vulnerability ...
Cross-Project Vulnerability Prediction Based on Software Metrics and Deep Learning
Computational Science and Its Applications – ICCSA 2020AbstractVulnerability prediction constitutes a mechanism that enables the identification and mitigation of software vulnerabilities early enough in the development cycle, improving the security of software products, which is an important quality attribute ...
An empirical study on using the national vulnerability database to predict software vulnerabilities
DEXA'11: Proceedings of the 22nd international conference on Database and expert systems applications - Volume Part ISoftware vulnerabilities represent a major cause of cybersecurity problems. The National Vulnerability Database (NVD) is a public data source that maintains standardized information about reported software vulnerabilities. Since its inception in 1997, ...
Comments