Predicting Vulnerable Components: Software Metrics vs Text Mining

Author

Walden, James ; Stuckman, Jeffrey ; Scandariato, Riccardo

Author_Institution

Dept. of Comput. Sci., Northern Kentucky Univ., Highland Heights, KY, USA

fYear

2014

fDate

3-6 Nov. 2014

Firstpage

23

Lastpage

33

Abstract

Building secure software is difficult, time-consuming, and expensive. Prediction models that identify vulnerability prone software components can be used to focus security efforts, thus helping to reduce the time and effort required to secure software. Several kinds of vulnerability prediction models have been proposed over the course of the past decade. However, these models were evaluated with differing methodologies and datasets, making it difficult to determine the relative strengths and weaknesses of different modeling techniques. In this paper, we provide a high-quality, public dataset, containing 223 vulnerabilities found in three web applications, to help address this issue. We used this dataset to compare vulnerability prediction models based on text mining with models using software metrics as predictors. We found that text mining models had higher recall than software metrics based models for all three applications.

Keywords

Internet; data mining; object-oriented programming; security of data; software metrics; text analysis; Web applications; secure software building; software metrics; text mining; vulnerability prediction model; vulnerability prone software component identification; vulnerable component prediction; Authorization; Databases; Predictive models; Software; Software metrics; Text mining;

fLanguage

English

Publisher

ieee

Conference_Titel

Software Reliability Engineering (ISSRE), 2014 IEEE 25th International Symposium on

Conference_Location

Naples

ISSN

1071-9458

Print_ISBN

978-1-4799-6032-3

Type

conf

DOI

10.1109/ISSRE.2014.32

Filename

6982351