Abstract
Vulnerability Prediction Models (VPMs) are used to predict vulnerability-prone modules and now many software security metrics have been proposed. In this paper, we predict vulnerability-prone components. Based on software network graph we define component cohesion and coupling metrics which are used as security metrics to build the VPM. To validate the prediction performance, we conduct an empirical study on Firefox 3.6. We compare the results with other works’, it shows that our model has a good performance in the accuracy, precision, and recall, and indicate that the proposed metrics are also effective in vulnerability prediction.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Liang, S., Du, X.: Permission-combination-based scheme for android mobile malware detection. In: Proceedings of the IEEE ICC 2014, Sydney, Australia (2014)
Du, X., Rozenblit, M., Shayman, M.: Implementation and performance analysis of SNMP on a TLS/TCP base. In: 7th IFIP/IEEE International Symposium on Integrated Network Management, Seattle, WA, pp. 453–466 (2001)
Xiao, Y., Chen, H., Du, X., Guizani, M.: Stream-based cipher feedback mode in wireless error channel. IEEE Trans. Wireless Commun. 8(2), 662–666 (2009)
Yao, X., Han, X., Du, X., Zhou, X.: A lightweight multicast authentication mechanism for small scale IoT applications. IEEE Sens. J. 13(10), 3693–3701 (2013)
Cheng, Y., Fu, X., Du, X., Luo, B., Guizani, M.: A lightweight live memory forensic approach based on hardware virtualization, vol. 379, pp. 23–41. Elsevier Information Sciences (2017)
Fu, X., Graham, B., Bettati, R., Zhao, W.: On countermeasures to traffic analysis attacks. In: 4th IEEE SMC Information Assurance Workshop (2003)
Ling, Z., Luo, J., Yu, W., Fu, X., Xuan, D., Jia, W.: A new cell counting based attack against tor. IEEE/ACM Trans. Network. (ToN) 20(4), 1245–1261 (2012)
Yue, Q., Ling, Z., Fu, X., Liu, B., Ren, K., Zhao, W.: Blind recognition of touched keys on mobile devices. In: 21st ACM Conference on Computer and Communications Security, Scottsdale, Arizona, USA (2014)
Qian, Y., Moayeri, N.: Design of secure and application-oriented VANETs. In: Proceedings of IEEE VTC2008-Spring, Singapore (2008)
Zhou, J., Hu, R., Qian, Y.: Scalable distributed communication architectures to support advanced metering infrastructure in smart grid. IEEE Trans. Parallel Distrib. Syst. 23(9), 1632–1642 (2012)
Wei, L., Hu, R., Qian, Y., Wu, G.: Enabling device-to-device communications underlaying cellular networks: challenges and research aspects. IEEE Commun. 52(6), 90–96 (2014)
Taube-Schock, C., Walker, R.J., Witten, I.H.: Can we avoid high coupling? In: Mezini, M. (ed.) ECOOP 2011. LNCS, vol. 6813, pp. 204–228. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22655-7_10
Viega, J., Mcgraw, G.: Building Secure Software. Addison-Wesley, Boston (2002)
Morrison, P., Herzig, K., Murphy, B., Williams, L.: Challenges with applying vulnerability prediction models. In: Proceedings of the 2015 Symposium and Bootcamp on the Science of Security. ACM-Association for Computing Machinery (2015)
Shin, Y., Meneely, A., Williams, L., Osborne, J.A.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans. Softw. Eng. 37(6), 772–787 (2011)
Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Archit. 57(3), 294–313 (2011)
Zimmermann, T., Nagappan, N., Williams, L.: Searching for a needle in a haystack: predicting security vulnerabilities for windows vista. In: Software Testing, Verification and Validation (ICST), pp. 421–428. IEEE (2010)
Shin, Y., Williams, L.: Is complexity really the enemy of software security? In: Proceedings of the ACM Workshop Quality Protection, pp. 47–50 (2008)
Fenton, N., Krause, P., Neil, M.: A probabilistic model for software defect prediction. IEEE Trans. Softw. Eng. 2143, 444–453 (2001)
Emam, K., Melo, W., Machado, J.C.: The prediction of faulty classes using object-oriented design metrics. J. Syst. Softw. 56, 63–75 (2001)
Succi, G., Pedrycz, W., Stefanovic, M., Miller, J.: Practical assessment of the models for identification of defect-prone classes in object-oriented commercial systems using design metrics. J. Syst. Softw. 65, 1–12 (2003)
Shin, Y., Williams, L.: An empirical model to predict security vulnerabilities using code complexity metrics. In: Proceedings of the International Symposium Empirical Software Engineering and Measurement, pp. 315–317 (2008)
Shin, Y., Williams, L.: An initial study on the use of execution complexity metrics as indicators of software vulnerabilities. In: SESS 2011, Waikiki, Honolulu, HI, USA (2011)
Shin, Y., Williams, L.: Can traditional fault prediction models be used for vulnerability prediction? Empir. Softw. Eng. 18, 25–59 (2013)
Zimmermann, T., Nagappan, N., Williams, L.: Searching for a needle in a haystack: predicting security vulnerabilities for windows vista. In: Third International Conference on Software Testing, Verification and Validation (ICST), pp. 421–428. IEEE (2010)
Nguyen, V.H., Tran, L.M.S.: Predicting vulnerable software components with dependency graphs. In: MetriSec2010, Bolzano-Bozen, Italy (2010)
Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Architect. 57, 294–313 (2011)
Neuhaus S., Zimmermann T., Holler C., Zeller A.: Predicting vulnerable software components. In: CCS’07, pp. 529–540 (2007)
Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Trans. Softw. Eng. 40(10), 993–1006 (2014)
Walden, J., Stuckman, J., Scandariato, R.: Predicting vulnerable components: software metrics vs text mining. In: IEEE 25th International Symposium on Software Reliability Engineering, pp. 23–33 (2014)
Jimenez, M., Papadakis, M., Traon, Y.L.: Vulnerability prediction models: a case study on the linux kernel. In: IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 1–10 (2016)
Mozilla Foundation Security Advisories. https://www.mozilla.org/en-US/security/known-vulnerabilities/. Accessed July 2017
Doxygen. http://www.doxygen.org. Accessed July 2017
WeKa. http://www.cs.waikato.ac.nz/ml/weka/. Accessed July 2017
Acknowledgments
This work was supported by National Natural Science Foundation of China (NSFC) (Grant No. U1636115).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Wei, S., Du, X., Hu, C., Shan, C. (2017). Predicting Vulnerable Software Components Using Software Network Graph. In: Wen, S., Wu, W., Castiglione, A. (eds) Cyberspace Safety and Security. CSS 2017. Lecture Notes in Computer Science(), vol 10581. Springer, Cham. https://doi.org/10.1007/978-3-319-69471-9_21
Download citation
DOI: https://doi.org/10.1007/978-3-319-69471-9_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69470-2
Online ISBN: 978-3-319-69471-9
eBook Packages: Computer ScienceComputer Science (R0)