Predicting vulnerable software components via bellwethers

Patrick Kwaku Kudjo, Jinfu Chen, Solomon Mensah, Richard Amankwah

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

5 Citations (Scopus)

Abstract

Software vulnerabilities are weakness, flaws or errors introduced during the life cycle of a software system. Although, previous studies have demonstrated the practical significance of using software metrics to predict vulnerable software components, empirical evidence shows that these metrics are plagued with issues pertaining to their effectiveness and robustness. This paper investigates the feasibility of using Bellwethers (i.e., exemplary data) for predicting and classifying software vulnerabilities. We introduced a Bellwether method using the following operators, PARTITION, SAMPLE + TRAIN and APPLY. The Bellwethers sampled by the three operators are used to train a learner (i.e., deep neural networks) with the aim of predicting essential or non-essential vulnerabilities. We evaluate the proposed Bellwether method using vulnerability reports extracted from three popular web browsers offered by CVE. Again, the mean absolute error (MAE), Welch’s t-test and Cliff’s δ effect size are used to further evaluate the prediction performance and practical statistical significant difference between the Bellwethers and the growing portfolio. We found that there exist subsets of vulnerability records (Bellwethers) in the studied datasets that can yield improved accuracy for software vulnerability prediction. The result shows that recall and precision measures from the text mining process were in a range of 73.9%–85.3% and 67.9%–81.8% respectively across the three studied datasets. The findings further show that the use of the Bellwethers for predictive modelling is a promising research direction for assisting software engineers and practitioners when seeking to predict instances of vulnerability records that demand much attention prior to software release.

Original languageEnglish
Title of host publicationTrusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers
EditorsHuanguo Zhang, Bo Zhao, Fei Yan
PublisherSpringer Verlag
Pages389-407
Number of pages19
ISBN (Print)9789811359125
DOIs
Publication statusPublished - 2019
Externally publishedYes
Event12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018 - Wuhan
Duration: 18 Oct 201818 Oct 2018

Publication series

NameCommunications in Computer and Information Science
Volume960
ISSN (Print)1865-0929

Conference

Conference12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018
Country/TerritoryChina
CityWuhan
Period18/10/1818/10/18

Keywords

  • Bellwethers
  • Growing portfolio
  • Software metrics
  • Software vulnerability
  • Web browsers

Fingerprint

Dive into the research topics of 'Predicting vulnerable software components via bellwethers'. Together they form a unique fingerprint.

Cite this