TY - GEN
T1 - Predicting vulnerable software components via bellwethers
AU - Kudjo, Patrick Kwaku
AU - Chen, Jinfu
AU - Mensah, Solomon
AU - Amankwah, Richard
N1 - Publisher Copyright:
© 2019, Springer Nature Singapore Pte Ltd.
PY - 2019
Y1 - 2019
N2 - Software vulnerabilities are weakness, flaws or errors introduced during the life cycle of a software system. Although, previous studies have demonstrated the practical significance of using software metrics to predict vulnerable software components, empirical evidence shows that these metrics are plagued with issues pertaining to their effectiveness and robustness. This paper investigates the feasibility of using Bellwethers (i.e., exemplary data) for predicting and classifying software vulnerabilities. We introduced a Bellwether method using the following operators, PARTITION, SAMPLE + TRAIN and APPLY. The Bellwethers sampled by the three operators are used to train a learner (i.e., deep neural networks) with the aim of predicting essential or non-essential vulnerabilities. We evaluate the proposed Bellwether method using vulnerability reports extracted from three popular web browsers offered by CVE. Again, the mean absolute error (MAE), Welch’s t-test and Cliff’s δ effect size are used to further evaluate the prediction performance and practical statistical significant difference between the Bellwethers and the growing portfolio. We found that there exist subsets of vulnerability records (Bellwethers) in the studied datasets that can yield improved accuracy for software vulnerability prediction. The result shows that recall and precision measures from the text mining process were in a range of 73.9%–85.3% and 67.9%–81.8% respectively across the three studied datasets. The findings further show that the use of the Bellwethers for predictive modelling is a promising research direction for assisting software engineers and practitioners when seeking to predict instances of vulnerability records that demand much attention prior to software release.
AB - Software vulnerabilities are weakness, flaws or errors introduced during the life cycle of a software system. Although, previous studies have demonstrated the practical significance of using software metrics to predict vulnerable software components, empirical evidence shows that these metrics are plagued with issues pertaining to their effectiveness and robustness. This paper investigates the feasibility of using Bellwethers (i.e., exemplary data) for predicting and classifying software vulnerabilities. We introduced a Bellwether method using the following operators, PARTITION, SAMPLE + TRAIN and APPLY. The Bellwethers sampled by the three operators are used to train a learner (i.e., deep neural networks) with the aim of predicting essential or non-essential vulnerabilities. We evaluate the proposed Bellwether method using vulnerability reports extracted from three popular web browsers offered by CVE. Again, the mean absolute error (MAE), Welch’s t-test and Cliff’s δ effect size are used to further evaluate the prediction performance and practical statistical significant difference between the Bellwethers and the growing portfolio. We found that there exist subsets of vulnerability records (Bellwethers) in the studied datasets that can yield improved accuracy for software vulnerability prediction. The result shows that recall and precision measures from the text mining process were in a range of 73.9%–85.3% and 67.9%–81.8% respectively across the three studied datasets. The findings further show that the use of the Bellwethers for predictive modelling is a promising research direction for assisting software engineers and practitioners when seeking to predict instances of vulnerability records that demand much attention prior to software release.
KW - Bellwethers
KW - Growing portfolio
KW - Software metrics
KW - Software vulnerability
KW - Web browsers
UR - http://www.scopus.com/inward/record.url?scp=85060212333&partnerID=8YFLogxK
U2 - 10.1007/978-981-13-5913-2_24
DO - 10.1007/978-981-13-5913-2_24
M3 - Conference contribution
AN - SCOPUS:85060212333
SN - 9789811359125
T3 - Communications in Computer and Information Science
SP - 389
EP - 407
BT - Trusted Computing and Information Security - 12th Chinese Conference, CTCIS 2018, Revised Selected Papers
A2 - Zhang, Huanguo
A2 - Zhao, Bo
A2 - Yan, Fei
PB - Springer Verlag
T2 - 12th Chinese Conference on Trusted Computing and Information Security, CTCIS 2018
Y2 - 18 October 2018 through 18 October 2018
ER -