Evaluating micro patterns and software metrics in vulnerability prediction

Kazi Zakia Sultana, Byron J. Williams

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Software security is an important aspect of ensuring software quality. Early detection of vulnerable code during development is essential for the developers to make cost and time effective software testing. The traditional software metrics are used for early detection of software vulnerability, but they are not directly related to code constructs and do not specify any particular granularity level. The goal of this study is to help developers evaluate software security using class-level traceable patterns called micro patterns to reduce security risks. The concept of micro patterns is similar to design patterns, but they can be automatically recognized and mined from source code. If micro patterns can better predict vulnerable classes compared to traditional software metrics, they can be used in developing a vulnerability prediction model. This study explores the performance of class-level patterns in vulnerability prediction and compares them with traditional class-level software metrics. We studied security vulnerabilities as reported for one major release of Apache Tomcat, Apache Camel and three stand-alone Java web applications. We used machine learning techniques for predicting vulnerabilities using micro patterns and class-level metrics as features. We found that micro patterns have higher recall in detecting vulnerable classes than the software metrics.

Original languageEnglish
Title of host publicationSoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017
EditorsXiaoyin Wang, Ming Li, David Lo
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages40-47
Number of pages8
ISBN (Electronic)9781538613894
DOIs
StatePublished - 7 Nov 2017
Event6th IEEE/ACM International Workshop on Software Mining, SoftwareMining 2017 - Urbana-Champaign, United States
Duration: 3 Nov 2017 → …

Publication series

NameSoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017

Conference

Conference6th IEEE/ACM International Workshop on Software Mining, SoftwareMining 2017
CountryUnited States
CityUrbana-Champaign
Period3/11/17 → …

Fingerprint

Software testing
Learning systems
Costs
Software metrics
Vulnerability
Prediction
Software
Developer

Cite this

Sultana, K. Z., & Williams, B. J. (2017). Evaluating micro patterns and software metrics in vulnerability prediction. In X. Wang, M. Li, & D. Lo (Eds.), SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017 (pp. 40-47). [8100852] (SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SOFTWAREMINING.2017.8100852
Sultana, Kazi Zakia ; Williams, Byron J. / Evaluating micro patterns and software metrics in vulnerability prediction. SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017. editor / Xiaoyin Wang ; Ming Li ; David Lo. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 40-47 (SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017).
@inproceedings{3bf76bc414464f18b2e0970a0c995904,
title = "Evaluating micro patterns and software metrics in vulnerability prediction",
abstract = "Software security is an important aspect of ensuring software quality. Early detection of vulnerable code during development is essential for the developers to make cost and time effective software testing. The traditional software metrics are used for early detection of software vulnerability, but they are not directly related to code constructs and do not specify any particular granularity level. The goal of this study is to help developers evaluate software security using class-level traceable patterns called micro patterns to reduce security risks. The concept of micro patterns is similar to design patterns, but they can be automatically recognized and mined from source code. If micro patterns can better predict vulnerable classes compared to traditional software metrics, they can be used in developing a vulnerability prediction model. This study explores the performance of class-level patterns in vulnerability prediction and compares them with traditional class-level software metrics. We studied security vulnerabilities as reported for one major release of Apache Tomcat, Apache Camel and three stand-alone Java web applications. We used machine learning techniques for predicting vulnerabilities using micro patterns and class-level metrics as features. We found that micro patterns have higher recall in detecting vulnerable classes than the software metrics.",
author = "Sultana, {Kazi Zakia} and Williams, {Byron J.}",
year = "2017",
month = "11",
day = "7",
doi = "10.1109/SOFTWAREMINING.2017.8100852",
language = "English",
series = "SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "40--47",
editor = "Xiaoyin Wang and Ming Li and David Lo",
booktitle = "SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017",

}

Sultana, KZ & Williams, BJ 2017, Evaluating micro patterns and software metrics in vulnerability prediction. in X Wang, M Li & D Lo (eds), SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017., 8100852, SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017, Institute of Electrical and Electronics Engineers Inc., pp. 40-47, 6th IEEE/ACM International Workshop on Software Mining, SoftwareMining 2017, Urbana-Champaign, United States, 3/11/17. https://doi.org/10.1109/SOFTWAREMINING.2017.8100852

Evaluating micro patterns and software metrics in vulnerability prediction. / Sultana, Kazi Zakia; Williams, Byron J.

SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017. ed. / Xiaoyin Wang; Ming Li; David Lo. Institute of Electrical and Electronics Engineers Inc., 2017. p. 40-47 8100852 (SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Evaluating micro patterns and software metrics in vulnerability prediction

AU - Sultana, Kazi Zakia

AU - Williams, Byron J.

PY - 2017/11/7

Y1 - 2017/11/7

N2 - Software security is an important aspect of ensuring software quality. Early detection of vulnerable code during development is essential for the developers to make cost and time effective software testing. The traditional software metrics are used for early detection of software vulnerability, but they are not directly related to code constructs and do not specify any particular granularity level. The goal of this study is to help developers evaluate software security using class-level traceable patterns called micro patterns to reduce security risks. The concept of micro patterns is similar to design patterns, but they can be automatically recognized and mined from source code. If micro patterns can better predict vulnerable classes compared to traditional software metrics, they can be used in developing a vulnerability prediction model. This study explores the performance of class-level patterns in vulnerability prediction and compares them with traditional class-level software metrics. We studied security vulnerabilities as reported for one major release of Apache Tomcat, Apache Camel and three stand-alone Java web applications. We used machine learning techniques for predicting vulnerabilities using micro patterns and class-level metrics as features. We found that micro patterns have higher recall in detecting vulnerable classes than the software metrics.

AB - Software security is an important aspect of ensuring software quality. Early detection of vulnerable code during development is essential for the developers to make cost and time effective software testing. The traditional software metrics are used for early detection of software vulnerability, but they are not directly related to code constructs and do not specify any particular granularity level. The goal of this study is to help developers evaluate software security using class-level traceable patterns called micro patterns to reduce security risks. The concept of micro patterns is similar to design patterns, but they can be automatically recognized and mined from source code. If micro patterns can better predict vulnerable classes compared to traditional software metrics, they can be used in developing a vulnerability prediction model. This study explores the performance of class-level patterns in vulnerability prediction and compares them with traditional class-level software metrics. We studied security vulnerabilities as reported for one major release of Apache Tomcat, Apache Camel and three stand-alone Java web applications. We used machine learning techniques for predicting vulnerabilities using micro patterns and class-level metrics as features. We found that micro patterns have higher recall in detecting vulnerable classes than the software metrics.

UR - http://www.scopus.com/inward/record.url?scp=85040775009&partnerID=8YFLogxK

U2 - 10.1109/SOFTWAREMINING.2017.8100852

DO - 10.1109/SOFTWAREMINING.2017.8100852

M3 - Conference contribution

AN - SCOPUS:85040775009

T3 - SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017

SP - 40

EP - 47

BT - SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017

A2 - Wang, Xiaoyin

A2 - Li, Ming

A2 - Lo, David

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Sultana KZ, Williams BJ. Evaluating micro patterns and software metrics in vulnerability prediction. In Wang X, Li M, Lo D, editors, SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017. Institute of Electrical and Electronics Engineers Inc. 2017. p. 40-47. 8100852. (SoftwareMining 2017 - Proceedings of the 2017 6th IEEE/ACM International Workshop on Software Mining, co-located with ASE 2017). https://doi.org/10.1109/SOFTWAREMINING.2017.8100852