Title :
Ranking Attack-Prone Components with a Predictive Model
Author :
Gegick, Michael ; Williams, Laurie
Author_Institution :
Dept. of Comput. Sci., North Carolina State Univ., NC
Abstract :
Limited resources preclude software engineers from finding and fixing all vulnerabilities in a software system. An early security risk analysis that ranks software components by probability of being attacked can provide an affordable means to prioritizing fortification efforts to the highest risk components. We created a predictive model using classification and regression trees and the following internal metrics: quantity of Klocwork static analysis warnings, file coupling, and quantity of changed and added lines of code. We validated the model against pre-release security testing failures on a large commercial telecommunications system. The model assigned a probability of attack to each file where upon ranking the probabilities in descending order we found that 72% of the attack-prone files are in the top 10% of the ranked files and 90% in the top 20% of the files.
Keywords :
probability; program diagnostics; regression analysis; security of data; trees (mathematics); Klocwork static analysis warnings; attack-prone component; classification trees; file coupling; predictive model; regression trees; security risk analysis; Buffer overflow; Classification tree analysis; Failure analysis; Input variables; Performance analysis; Predictive models; Regression tree analysis; Risk analysis; Security; Software systems; Attack-prone;
Conference_Titel :
Software Reliability Engineering, 2008. ISSRE 2008. 19th International Symposium on
Conference_Location :
Seattle, WA
Print_ISBN :
978-0-7695-3405-3
Electronic_ISBN :
1071-9458
DOI :
10.1109/ISSRE.2008.24
