Abstract
The goal of this research is to build a vulnerability prediction model to assist developers in evaluating the security of software systems during the early stages of development. In this study, we used some traceable patterns which can be automatically identified or extracted from the source code of functions or methods. These patterns have been introduced in the earlier studies and termed as nanopatterns. We also used software metrics along with nanopatterns as features for training a model for vulnerability prediction. In this study, we blend two different kinds of features and propose nano-metrics consisting of a set of nanopatterns and method-level software metrics to predict vulnerability more accurately than existing models. This study investigates how the proposed features perform in vulnerability prediction compared to traditional software metrics. We designed and conducted machine learning and statistical analysis based experiments to predict vulnerabilities reported for Apache Tomcat (releases 6 and 7), Apache CXF, Android (versions 6 and 7), and two stand-alone Java web applications of Stanford Securibench. We present the performance measures using tenfold cross validation and cross-project validation of our proposed approach. We also identified significant pairs of metrics and patterns in vulnerable methods. We found that the proposed nano-metrics have a lower false negative rate and higher recall in predicting vulnerable code than software metrics (lowest recall is 67 vs. 63% in Logistic Regression). Nano-metrics show higher precision than nanopatterns which improves their overall F2 -measure compared to software metrics (highest is 90 vs. 79% in Logistic Regression). Our experiments present a new set of features in building a vulnerability prediction model with better recall and precision.
Original language | English |
---|---|
Article number | 599 |
Journal | SN Computer Science |
Volume | 4 |
Issue number | 5 |
DOIs | |
State | Published - Sep 2023 |
Keywords
- Nanopatterns
- Software metrics
- Software quality
- Software security
- Software testing
- Software vulnerability