Predicting Attack Prone Software Components using Repository Mined Change Metrics

Daniel Hein, Hossein Saiedian

2016

Abstract

Identification of attack-prone entities is a crucial step toward improving the state of information security in modern software based systems. Recent work in the fields of empirical software engineering and defect prediction show promise toward identifying and prioritizing attack prone entities using information extracted from software version control repositories. Equipped with knowledge of the most vulnerable entities, organizations can efficiently allocate resources to more effectively leverage secure software development practices, isolating and expunging vulnerabilities before they are released in production products. Such practices include security reviews, automated static analysis, and penetration testing, among others. Efficiently focusing secure development practices on entities of greatest need can help identify and eliminate vulnerabilities in a more cost effective manner when compared to wholesale application for large products.

References

  1. OSVDB: Open sourced vulnerability database. osvdb.net (online). http:// www.osvdb.net/, accessed May 30, 2013.
  2. Abdelmoez, W., Nassar, D. M., Shereshevsky, M., Gradetsky, N., Gunnalan, R., Ammar, H. H., Yu, B., and Mili, A. (2004). Error propagation in software architectures. In Software Metrics, 2004. Proceedings. 10th International Symposium on, pages 384-393. IEEE.
  3. Anan, M., Saiedian, H., and Ryoo, J. (2009). An architecture-centric software maintainability assessment using information theory. J. Softw. Maint. Evol.: Res. Pract., 21(1):1-18.
  4. Bell, R. M., Ostrand, T. J., and Weyuker, E. J. (2011). Does measuring code change improve fault prediction? In Proceedings of the 7th International Conference on Predictive Models in Software Engineering, Promise 7811, New York, NY, USA. ACM.
  5. Bozorgi, M., Saul, L., Savage, S., and Voelker, G. M. (2010). Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In Proceedings of the Sixteenth ACM Conference on Knowledge Discovery and Data Mining (KDD-2010), pages 105-113.
  6. Chidamber, S. R. and Kemerer, C. F. (1994). A metrics suite for object oriented design. Software Engineering, IEEE Transactions on, 20(6):476-493.
  7. Chowdhury, I. and Zulkernine, M. (2011). Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. Journal of Systems Architecture, 57(3):294-313.
  8. Gousios, G. (2012). On the importance of tools in software engineering research. Blog. Accessed: 02/20/2013.
  9. Gyimothy, T., Ferenc, R., and Siket, I. (2005). Empirical validation of object-oriented metrics on open source software for fault prediction. Software Engineering, IEEE Transactions on, 31(10):897-910.
  10. Hassan, A. E. (2009). Predicting faults using the complexity of code changes. In Proceedings of the 31st International Conference on Software Engineering, ICSE 7809, pages 78-88, Washington, DC, USA. IEEE Computer Society.
  11. Jackson, D. and Wing, J. (1996). Lightweight formal methods. IEEE Computer, 29(4):16-30.
  12. Janzen, D. and Saiedian, H. (2007). A leveled examination of test-driven development acceptance. In Proceedings of the 29th ACM International Conference on Software Engineering, pages 719-722. ACM.
  13. Khoshgoftaar, T. M., Allen, E. B., Goel, N., Nandi, A., and McMullan, J. (1996). Detection of software modules with high debug code churn in a very large legacy system. In Proceedings of the The Seventh International Symposium on Software Reliability Engineering, ISSRE 7896, Washington, DC, USA. IEEE Computer Society.
  14. Manadhata, P. K. and Wing, J. M. (2011). An attack surface metric. Software Engineering, IEEE Transactions on, 37(3):371-386.
  15. McGraw, G. (1999). Software assurance for security. Computer, 32(4):103-105.
  16. Mell, P., Scarfone, K., and Romanosky, S. (2007). CVSS: A Complete Guide to the Common Vulnerability Scoring System Version 2.0. FIRST: Forum of Incident Response and Security Teams.
  17. Moser, R., Pedrycz, W., and Succi, G. (2008). A comparative analysis of the efficiency of change metrics and static code attributes for defect prediction. In Software Engineering, 2008. ICSE 7808. ACM/IEEE 30th International Conference on, ICSE 7808, pages 181- 190, New York, NY, USA. IEEE.
  18. Munson, J. C. and Elbaum, S. G. (1998). Code churn: a measure for estimating the impact of code change. In Proceedings. International Conference on Software Maintenance (Cat. No. 98CB36272), pages 24-31. IEEE Computer Society.
  19. Munson, J. C. and Khoshgoftaar, T. M. (1992). The detection of fault-prone programs. IEEE Transactions on Software Engineering, 18(5):423-433.
  20. Nagappan, N. and Ball, T. (2005). Use of relative code churn measures to predict system defect density. In Proceedings of the 27th international conference on Software engineering, ICSE 7805, pages 284-292, New York, NY, USA. ACM.
  21. Nagappan, N., Zeller, A., Zimmermann, T., Herzig, K., and Murphy, B. (2010). Change bursts as defect predictors. In Software Reliability Engineering (ISSRE), 2010 IEEE 21st International Symposium on, pages 309-318. IEEE.
  22. NIST. NVD:national vulnerability database. National Institute of Science and Technology, online. http:// nvd.nist.gov/, accessed May 30, 2013.
  23. Ostrand, T. J., Weyuker, E. J., and Bell, R. M. (2010). Programmer-based fault prediction. In Proceedings of the 6th International Conference on Predictive Models in Software Engineering, PROMISE 7810, New York, NY, USA. ACM.
  24. Saltzer, J. H. and Schroeder, M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE, 9(63):1278-1308.
  25. Sarkar, S., Rama, G. M., and Kak, A. C. (2007). API-based and information-theoretic metrics for measuring the quality of software modularization. Software Engineering, IEEE Transactions on, 33(1):14-32.
  26. Shin, Y. (2011). Investigating Complexity Metrics as Indicators of Software Vulnerability. PhD thesis, North Carolina State University, Raleigh, North Carolina.
  27. Shin, Y., Meneely, A., Williams, L., and Osborne, J. A. (2011). Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. Software Engineering, IEEE Transactions on, 37(6):772-787.
  28. Younis, A., Malaiya, Y., and Ray, I. (2014). Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability. In High-Assurance Systems Engineering (HASE), 2014 IEEE 15th International Symposium on, pages 1-8.
Download


Paper Citation


in Harvard Style

Hein D. and Saiedian H. (2016). Predicting Attack Prone Software Components using Repository Mined Change Metrics . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 554-563. DOI: 10.5220/0005812905540563


in Bibtex Style

@conference{icissp16,
author={Daniel Hein and Hossein Saiedian},
title={Predicting Attack Prone Software Components using Repository Mined Change Metrics},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={554-563},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005812905540563},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Predicting Attack Prone Software Components using Repository Mined Change Metrics
SN - 978-989-758-167-0
AU - Hein D.
AU - Saiedian H.
PY - 2016
SP - 554
EP - 563
DO - 10.5220/0005812905540563