Towards a software vulnerability prediction model using traceable code patterns and software metrics

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)

Abstract

Software security is an important aspect of ensuring software quality. The goal of this study is to help developers evaluate software security using traceable patterns and software metrics during development. The concept of traceable patterns is similar to design patterns but they can be automatically recognized and extracted from source code. If these patterns can better predict vulnerable code compared to traditional software metrics, they can be used in developing a vulnerability prediction model to classify code as vulnerable or not. By analyzing and comparing the performance of traceable patterns with metrics, we propose a vulnerability prediction model. This study explores the performance of some code patterns in vulnerability prediction and compares them with traditional software metrics. We use the findings to build an effective vulnerability prediction model. We evaluate security vulnerabilities reported for Apache Tomcat, Apache CXF and three stand-alone Java web applications. We use machine learning and statistical techniques for predicting vulnerabilities using traceable patterns and metrics as features. We found that patterns have a lower false negative rate and higher recall in detecting vulnerable code than the traditional software metrics.

Original languageEnglish
Title of host publicationASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering
EditorsTien N. Nguyen, Grigore Rosu, Massimiliano Di Penta
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages1022-1025
Number of pages4
ISBN (Electronic)9781538626849
DOIs
StatePublished - 20 Nov 2017
Event32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017 - Urbana-Champaign, United States
Duration: 30 Oct 20173 Nov 2017

Publication series

NameASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering

Conference

Conference32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017
CountryUnited States
CityUrbana-Champaign
Period30/10/173/11/17

Fingerprint

Software Metrics
Vulnerability
Prediction Model
Software
Software Security
Learning systems
Metric
Software Quality
Design Patterns
Evaluate
Web Application
Java
Machine Learning
Classify
Predict
Prediction

Cite this

Sultana, K. Z. (2017). Towards a software vulnerability prediction model using traceable code patterns and software metrics. In T. N. Nguyen, G. Rosu, & M. Di Penta (Eds.), ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (pp. 1022-1025). [8115724] (ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ASE.2017.8115724
Sultana, Kazi Zakia. / Towards a software vulnerability prediction model using traceable code patterns and software metrics. ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. editor / Tien N. Nguyen ; Grigore Rosu ; Massimiliano Di Penta. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 1022-1025 (ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering).
@inproceedings{904e06503195423cb97d33d85c882fc9,
title = "Towards a software vulnerability prediction model using traceable code patterns and software metrics",
abstract = "Software security is an important aspect of ensuring software quality. The goal of this study is to help developers evaluate software security using traceable patterns and software metrics during development. The concept of traceable patterns is similar to design patterns but they can be automatically recognized and extracted from source code. If these patterns can better predict vulnerable code compared to traditional software metrics, they can be used in developing a vulnerability prediction model to classify code as vulnerable or not. By analyzing and comparing the performance of traceable patterns with metrics, we propose a vulnerability prediction model. This study explores the performance of some code patterns in vulnerability prediction and compares them with traditional software metrics. We use the findings to build an effective vulnerability prediction model. We evaluate security vulnerabilities reported for Apache Tomcat, Apache CXF and three stand-alone Java web applications. We use machine learning and statistical techniques for predicting vulnerabilities using traceable patterns and metrics as features. We found that patterns have a lower false negative rate and higher recall in detecting vulnerable code than the traditional software metrics.",
author = "Sultana, {Kazi Zakia}",
year = "2017",
month = "11",
day = "20",
doi = "10.1109/ASE.2017.8115724",
language = "English",
series = "ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "1022--1025",
editor = "Nguyen, {Tien N.} and Grigore Rosu and {Di Penta}, Massimiliano",
booktitle = "ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering",

}

Sultana, KZ 2017, Towards a software vulnerability prediction model using traceable code patterns and software metrics. in TN Nguyen, G Rosu & M Di Penta (eds), ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering., 8115724, ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, Institute of Electrical and Electronics Engineers Inc., pp. 1022-1025, 32nd IEEE/ACM International Conference on Automated Software Engineering, ASE 2017, Urbana-Champaign, United States, 30/10/17. https://doi.org/10.1109/ASE.2017.8115724

Towards a software vulnerability prediction model using traceable code patterns and software metrics. / Sultana, Kazi Zakia.

ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. ed. / Tien N. Nguyen; Grigore Rosu; Massimiliano Di Penta. Institute of Electrical and Electronics Engineers Inc., 2017. p. 1022-1025 8115724 (ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Towards a software vulnerability prediction model using traceable code patterns and software metrics

AU - Sultana, Kazi Zakia

PY - 2017/11/20

Y1 - 2017/11/20

N2 - Software security is an important aspect of ensuring software quality. The goal of this study is to help developers evaluate software security using traceable patterns and software metrics during development. The concept of traceable patterns is similar to design patterns but they can be automatically recognized and extracted from source code. If these patterns can better predict vulnerable code compared to traditional software metrics, they can be used in developing a vulnerability prediction model to classify code as vulnerable or not. By analyzing and comparing the performance of traceable patterns with metrics, we propose a vulnerability prediction model. This study explores the performance of some code patterns in vulnerability prediction and compares them with traditional software metrics. We use the findings to build an effective vulnerability prediction model. We evaluate security vulnerabilities reported for Apache Tomcat, Apache CXF and three stand-alone Java web applications. We use machine learning and statistical techniques for predicting vulnerabilities using traceable patterns and metrics as features. We found that patterns have a lower false negative rate and higher recall in detecting vulnerable code than the traditional software metrics.

AB - Software security is an important aspect of ensuring software quality. The goal of this study is to help developers evaluate software security using traceable patterns and software metrics during development. The concept of traceable patterns is similar to design patterns but they can be automatically recognized and extracted from source code. If these patterns can better predict vulnerable code compared to traditional software metrics, they can be used in developing a vulnerability prediction model to classify code as vulnerable or not. By analyzing and comparing the performance of traceable patterns with metrics, we propose a vulnerability prediction model. This study explores the performance of some code patterns in vulnerability prediction and compares them with traditional software metrics. We use the findings to build an effective vulnerability prediction model. We evaluate security vulnerabilities reported for Apache Tomcat, Apache CXF and three stand-alone Java web applications. We use machine learning and statistical techniques for predicting vulnerabilities using traceable patterns and metrics as features. We found that patterns have a lower false negative rate and higher recall in detecting vulnerable code than the traditional software metrics.

UR - http://www.scopus.com/inward/record.url?scp=85041452101&partnerID=8YFLogxK

U2 - 10.1109/ASE.2017.8115724

DO - 10.1109/ASE.2017.8115724

M3 - Conference contribution

AN - SCOPUS:85041452101

T3 - ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering

SP - 1022

EP - 1025

BT - ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering

A2 - Nguyen, Tien N.

A2 - Rosu, Grigore

A2 - Di Penta, Massimiliano

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Sultana KZ. Towards a software vulnerability prediction model using traceable code patterns and software metrics. In Nguyen TN, Rosu G, Di Penta M, editors, ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering. Institute of Electrical and Electronics Engineers Inc. 2017. p. 1022-1025. 8115724. (ASE 2017 - Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering). https://doi.org/10.1109/ASE.2017.8115724