A Software Vulnerability Prediction Model Using Traceable Code Patterns and Software Metrics

A Software Vulnerability Prediction Model Using Traceable Code Patterns and Software Metrics

연구 분야: Verification

학회: SN Computer Science

The goal of this research is to build a vulnerability prediction model to assist developers in evaluating the security of software systems during the early stages of development. In this study, we used some traceable patterns which can be automatically identified or extracted from the source code of functions or methods. These patterns have been introduced in the earlier studies and termed as nanopatterns. We also used software metrics along with nanopatterns as features for training a model for vulnerability prediction. In this study, we blend two different kinds of features and propose nano-metrics consisting of a set of nanopatterns and method-level software metrics to predict vulnerability more accurately than existing models. This study investigates how the proposed features perform in vulnerability prediction compared to traditional software metrics. We designed and conducted machine learning and statistical analysis based experiments to predict vulnerabilities reported for Apache Tomcat (releases 6 and 7), Apache CXF, Android (versions 6 and 7), and two stand-alone Java web applications of Stanford Securibench. We present the performance measures using tenfold cross validation and cross-project validation of our proposed approach. We also identified significant pairs of metrics and patterns in vulnerable methods. We found that the proposed nano-metrics have a lower false negative rate and higher recall in predicting vulnerable code than software metrics (lowest recall is 67 vs. 63% in Logistic Regression). Nano-metrics show higher precision than nanopatterns which improves their overall -measure compared to software metrics (highest is 90 vs. 79% in Logistic Regression). Our experiments present a new set of features in building a vulnerability prediction model with better recall and precision.