Article

Free access

Towards a software vulnerability prediction model using traceable code patterns and software metrics

Author:

Kazi Zakia SultanaAuthors Info & Claims

ASE '17: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering

Pages 1022 - 1025

Published: 30 October 2017 Publication History

PDF eReader

Abstract

Software security is an important aspect of ensuring software quality. The goal of this study is to help developers evaluate software security using traceable patterns and software metrics during development. The concept of traceable patterns is similar to design patterns but they can be automatically recognized and extracted from source code. If these patterns can better predict vulnerable code compared to traditional software metrics, they can be used in developing a vulnerability prediction model to classify code as vulnerable or not. By analyzing and comparing the performance of traceable patterns with metrics, we propose a vulnerability prediction model. This study explores the performance of some code patterns in vulnerability prediction and compares them with traditional software metrics. We use the findings to build an effective vulnerability prediction model. We evaluate security vulnerabilities reported for Apache Tomcat, Apache CXF and three stand-alone Java web applications. We use machine learning and statistical techniques for predicting vulnerabilities using traceable patterns and metrics as features. We found that patterns have a lower false negative rate and higher recall in detecting vulnerable code than the traditional software metrics.

References

[1]

F. Batarseh, Java nano patterns: a set of reusable objects, Proc. of the 48th Annual Southeast Regional Conference, New York, NY, USA, 2010.

Digital Library

Google Scholar

[2]

K. Z. Sultana, A. Deo, and B. J. Williams, A Preliminary Study Examining Relationships between Nano-Patterns and Software Security Vulnerabilities, Proc. of the 40th IEEE Computer Society International Conference on Computers, Software and Applications, Atlanta, GA, USA, June 10- 14, 2016.

Crossref

Google Scholar

[3]

K. Z. Sultana, A. Deo, and B. J. Williams, Correlation Analysis among Java Nano-patterns and Software Vulnerabilities, Proc. of the 18th IEEE International Symposium on High Assurance Systems Engineering, Singapore, Jan 12-14, 2017.

Crossref

Google Scholar

[4]

J. Singer, G. Brown, M. Lujn, A. Pocock and P. Yiapanis, Fundamental Nano-Patterns to Characterize and Classify Java Methods, Journal Electronic Notes in Theoretical Computer Science archive, Vol. 253 Issue 7, pp. 191-204, September, 2010.

Digital Library

Google Scholar

[5]

J. Gil and I. Maman, Micro patterns in Java code, Proc. of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, San Diego, CA, USA, Oct 16-20, 2005.

Digital Library

Google Scholar

[6]

S. Kim, K. Pan, and E. Whitehead Jr., Micro pattern evolution, Proc. of the Intl. Workshop on Mining Software Repositories, pp. 40-46, 2006.

Digital Library

Google Scholar

[7]

A. Deo, and B. J. Williams, Preliminary Study on Assessing Software Defects Using Nano-Pattern Detection, Proc. of the 24th International Conference on Software Engineering and Data Engineering (SEDE), San Diego, CA, Oct 12-14, 2015.

Google Scholar

[8]

G. Destefanis, R. Tonelli, E. Tempero, G. Concas, and M. Marchesi, Micro Pattern Fault-Proneness, Proc. of the 38th EUROMICRO Conference on Software Engineering and Advanced Applications, pp. 302-306, 2012.

Digital Library

Google Scholar

[9]

Y. Shin, A. Meneely, L. Williams and J. Osborne, Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities, IEEE Transactions on Software Engineering, vol. 37, no. 6, pp. 772-787, Nov/Dec, 2011.

Digital Library

Google Scholar

[10]

I. Chowdhury and M. Zulkernine, Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities, Journal of Systems Architecture, Vol. 57, Issue 3, March 2011, Pages 294-313.

Digital Library

Google Scholar

[11]

S.R. Chidamber, and C.F. Kemerer, A metrics suite for object oriented design, IEEE Transactions on Software Engineering, vol. 20, no. 6, pp. 476-493, 1994.

Digital Library

Google Scholar

[12]

T.J. McCabe, A complexity measure, IEEE Transactions on Software Engineering, vol. 2, no. 4, pp.308-320, 1976.

Digital Library

Google Scholar

[13]

V. B. Livshits and M. S. Lam, Finding security errors in Java programs with static analysis, In Proc. of the 14th Usenix Security Symposium, pp. 271-286, Aug, 2005.

Digital Library

Google Scholar

[14]

D. J. Sheskin, Handbook of Parametric and Nonparametric Statistical Procedures, 4th ed. Chapman & Hall/CRC, 2007.

Digital Library

Google Scholar

Cited By

View all

Destefanis GQaderi SBowes DPetrić JOrtu MTurhan BTosun AMcIntosh S(2018)A Longitudinal Study of Anti Micro Patterns in 113 versions of TomcatProceedings of the 14th International Conference on Predictive Models and Data Analytics in Software Engineering10.1145/3273934.3273945(90-93)Online publication date: 10-Oct-2018
https://dl.acm.org/doi/10.1145/3273934.3273945

Recommendations

A Software Vulnerability Prediction Model Using Traceable Code Patterns and Software Metrics
Abstract
The goal of this research is to build a vulnerability prediction model to assist developers in evaluating the security of software systems during the early stages of development. In this study, we used some traceable patterns which can be ... $_{}$
Software Vulnerability: Identification and Minimization
Investigating complexity metrics as indicators of software vulnerability

Comments

Information & Contributors

Information

Published In

ASE '17: Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering

October 2017

1033 pages

ISBN:9781538626849

General Chair:
Grigore Rosu
University of Illinois at Urbana-Champaign, USA
,
Program Chairs:
Massimiliano Di Penta
University of Sannio, Italy
,
Tien N. Nguyen
University of Texas at Dallas, USA

Publisher

IEEE Press

Publication History

Published: 30 October 2017

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
131
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)5

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Destefanis GQaderi SBowes DPetrić JOrtu MTurhan BTosun AMcIntosh S(2018)A Longitudinal Study of Anti Micro Patterns in 113 versions of TomcatProceedings of the 14th International Conference on Predictive Models and Data Analytics in Software Engineering10.1145/3273934.3273945(90-93)Online publication date: 10-Oct-2018
https://dl.acm.org/doi/10.1145/3273934.3273945

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Recommendations

A Software Vulnerability Prediction Model Using Traceable Code Patterns and Software Metrics

Software Vulnerability: Identification and Minimization

Investigating complexity metrics as indicators of software vulnerability

Comments

Published In

Sponsors

Publisher

Publication History

Qualifiers

Acceptance Rates

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF

eReader

Login options

Full Access

Abstract

References

Cited By

Recommendations

A Software Vulnerability Prediction Model Using Traceable Code Patterns and Software Metrics

Software Vulnerability: Identification and Minimization

Investigating complexity metrics as indicators of software vulnerability

Comments

Information

Published In

Sponsors

Publisher

Publication History

Qualifiers

Acceptance Rates

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations