Title :
Predicting Vulnerable Components: Software Metrics vs Text Mining
Author :
Walden, James ; Stuckman, Jeffrey ; Scandariato, Riccardo
Author_Institution :
Dept. of Comput. Sci., Northern Kentucky Univ., Highland Heights, KY, USA
Abstract :
Building secure software is difficult, time-consuming, and expensive. Prediction models that identify vulnerability prone software components can be used to focus security efforts, thus helping to reduce the time and effort required to secure software. Several kinds of vulnerability prediction models have been proposed over the course of the past decade. However, these models were evaluated with differing methodologies and datasets, making it difficult to determine the relative strengths and weaknesses of different modeling techniques. In this paper, we provide a high-quality, public dataset, containing 223 vulnerabilities found in three web applications, to help address this issue. We used this dataset to compare vulnerability prediction models based on text mining with models using software metrics as predictors. We found that text mining models had higher recall than software metrics based models for all three applications.
Keywords :
Internet; data mining; object-oriented programming; security of data; software metrics; text analysis; Web applications; secure software building; software metrics; text mining; vulnerability prediction model; vulnerability prone software component identification; vulnerable component prediction; Authorization; Databases; Predictive models; Software; Software metrics; Text mining;
Conference_Titel :
Software Reliability Engineering (ISSRE), 2014 IEEE 25th International Symposium on
Conference_Location :
Naples
Print_ISBN :
978-1-4799-6032-3
DOI :
10.1109/ISSRE.2014.32
