Enhancing Software Vulnerability Prediction Models

Authors

  • Santosh Kumar Kande

DOI:

https://doi.org/10.47941/ijce.2258

Keywords:

Vulnerability, Software Engineering, Prediction Models, Metrics, Security, Software, Open Source, VPM, Precision, Recall, Accuracy, Benchmark.

Abstract

Purpose: The purpose of this study is to evaluate and replicate various Vulnerability Prediction Models (VPMs) to determine their effectiveness in identifying software vulnerabilities. Given the increasing complexity of software, identifying vulnerabilities during development is becoming more challenging. This study aims to enhance the accuracy of vulnerability prediction to improve security inspections and testing.

Methodology: The study involves benchmarking different VPM approaches, including software metrics, text mining, and automated static analysis. These models are evaluated using a dataset that consists of over 100,000 lines of code from multiple open-source projects. The evaluation focuses on assessing the models in terms of precision, recall, and F-Measure.

Findings: The findings indicate that combining multiple VPM techniques results in improved prediction accuracy. The study demonstrates that integrating various approaches enhances the overall effectiveness of vulnerability detection in software development.

Unique Contribution to Theory, Practice, and Policy (Recommendations):The unique contribution of this study lies in its demonstration that a multi-technique approach to VPMs can significantly enhance prediction accuracy. This finding offers valuable insights for both theoretical advancements and practical applications in software security. For practice, it suggests that incorporating a combination of VPM techniques can lead to more effective vulnerability detection. For policy, it underscores the importance of adopting advanced and varied VPM methods to improve software security measures. Future research should focus on expanding datasets to include a broader range of projects and incorporating machine learning techniques to further enhance VPM predictive capabilities.

Downloads

Download data is not yet available.

References

Zimmermann, T., Nagappan, N., and Williams, L. Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista. In Software Testing, Verification and Validation (ICST), 2010 Third International Conference on (2010)

M. Gegick, P. Rotella, and L. Williams, “Predicting Attack-prone Components,” in ICST’09.

C.Theisen, L.Williams, ”Better together: Comparing vulnerability prediction models”, North Carolina USA, 2019

T. Hastie, R. Tibshirani, and J. H. Friedman, The Elements of Statistical Learning, New York, Springer, 2001.

P. Morrison, K. Herzig, B. Murphy, L. Williams, “Challenges with Applying Vulnerability Prediction Models”.

Y.Shin, A. Meneely, L.Williams, J.A Osborne, ”Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities, IEEE Trans. Softw. Eng. 37 (6) (2011) 772-787.

R.Scandariato, J.Walden, A.Hovsepyan, W.Joose, ”Predicting vulnerable software components via text mining”, IEEE Trans.Softw Eng. 40 (10)(2014) 993-1006.

M. Jimenez, M. Papadakis, Y. Le Traon, “Vulnerability Prediction Models: A case study on the Linux Kernel”, 16th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM), 2016.

Y. Shin, L. Williams, An initial study on the use of execution complexity metrics as indicators of software vulnerabilities, in: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems, SESS ’11, ACM, New York, NY, USA, 2011, pp. 1–7, doi:10.1145/1988630.1988632

J. Walden, J. Stuckman, R. Scandariato, Predicting vulnerable components: soft- ware metrics vs text mining, in: Software Reliability Engineering (ISSRE), 2014 IEEE 25th International Symposium on, IEEE, 2014, pp. 23–33.

S.E. Ponta and H. Plate and A. Sabetta, M. Bezzi , C. Dangremont,”A Manually Curated Dataset of Fixes to Vulnerabilities of Open-Source Software”,Proceedings of the 16th International Conference on Mining Software Repositories

D.Spadini, M.Aniche, A.Bacchelli, ”PyDriller: Python Framework for Mining Soft- ware Repositories”,26th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE’18)

https://github.com/ishepard/pydriller

Downloads

Published

2024-09-20

How to Cite

Kande , S. K. (2024). Enhancing Software Vulnerability Prediction Models. International Journal of Computing and Engineering, 6(5), 10–24. https://doi.org/10.47941/ijce.2258

Issue

Vol. 6 No. 5 (2024)

Section

Articles

License

Copyright (c) 2024 Santosh Kumar Kande

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution (CC-BY) 4.0 License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.