A proposed approach to build an automated software security assessment framework using mined patterns and metrics

Kazi Zakia Sultana, Tai Yin Chong

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Software security is a major concern of the developers who intend to deliver a reliable software. Although there is research that focuses on vulnerability prediction and discovery, there is still a need for building security-specific metrics to measure software security and vulnerability-proneness quantitatively. The existing methods are either based on software metrics (defined on the physical characteristics of code; e.g. complexity or lines of code) which are not security-specific or some generic patterns known as nano-patterns (Java method-level traceable patterns that characterize a Java method or function). Other methods predict vulnerabilities using text mining approaches or graph algorithms which perform poorly in cross-project validation and fail to be a generalized prediction model for any system. In this paper, we envision to construct an automated framework that will assist developers to assess the security level of their code and guide them towards developing secure code. To accomplish this goal, we aim to refine and redefine the existing nano-patterns and software metrics to make them more security-centric so that they can be used for measuring the software security level of a source code (either file or function) with higher accuracy. In this paper, we present our visionary approach through a series of three consecutive studies where we (1) will study the challenges of the current software metrics and nano-patterns in vulnerability prediction, (2) will redefine and characterize the nano-patterns and software metrics so that they can capture security-specific properties of code and measure the security level quantitatively, and finally (3) will implement an automated framework for the developers to automatically extract the values of all the patterns and metrics for the given code segment and then flag the estimated security level as a feedback based on our research results. We accomplished some preliminary experiments and presented the results which indicate that our vision can be practically implemented and will have valuable implications in the community of software security.

Original languageEnglish
Title of host publicationProceedings - 22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019
EditorsMeikang Qiu
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages176-181
Number of pages6
ISBN (Electronic)9781728116631
DOIs
StatePublished - Aug 2019
Event22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019 - New York, United States
Duration: 1 Aug 20193 Aug 2019

Publication series

NameProceedings - 22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019

Conference

Conference22nd IEEE International Conference on Computational Science and Engineering and 17th IEEE International Conference on Embedded and Ubiquitous Computing, CSE/EUC 2019
CountryUnited States
CityNew York
Period1/08/193/08/19

Keywords

  • Machine learning
  • Metrics
  • Patterns
  • Software Security
  • Software vulnerability

Fingerprint Dive into the research topics of 'A proposed approach to build an automated software security assessment framework using mined patterns and metrics'. Together they form a unique fingerprint.

Cite this