Software complexity measurement
Communications of the ACM
A Validation of Object-Oriented Design Metrics as Quality Indicators
IEEE Transactions on Software Engineering
Software metrics (2nd ed.): a rigorous and practical approach
Software metrics (2nd ed.): a rigorous and practical approach
The prediction of faulty classes using object-oriented design metrics
Journal of Systems and Software
Information Retrieval
Composite Structure Design
A Metrics Suite for Object Oriented Design
IEEE Transactions on Software Engineering
An Empirical Investigation of an Object-Oriented Software System
IEEE Transactions on Software Engineering
COMPARE: A Comprehensive Framework for Architecture Evaluation
ECOOP '98 Workshop ion on Object-Oriented Technology
Software Architecture in Practice
Software Architecture in Practice
An empirical comparison and characterization of high defect and high complexity modules
Journal of Systems and Software
A complexity measure based on nesting level
ACM SIGPLAN Notices
Machine Learning
Mining software repositories to assist developers and support managers
Mining software repositories to assist developers and support managers
Mining metrics to predict component failures
Proceedings of the 28th international conference on Software engineering
Empirical relation between coupling and attackability in software systems:: a case study on DOS
Proceedings of the 2006 workshop on Programming languages and analysis for security
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Security Metrics: Replacing Fear, Uncertainty, and Doubt
Data Mining Static Code Attributes to Learn Defect Predictors
IEEE Transactions on Software Engineering
Predicting Defects for Eclipse
PROMISE '07 Proceedings of the Third International Workshop on Predictor Models in Software Engineering
How to measure success of fault prediction models
Fourth international workshop on Software quality assurance: in conjunction with the 6th ESEC/FSE joint meeting
IEEE Transactions on Software Engineering
Software Structure Metrics Based on Information Flow
IEEE Transactions on Software Engineering
Predicting vulnerable software components
Proceedings of the 14th ACM conference on Computer and communications security
Threats on building models from CVS and Bugzilla repositories: the Mozilla case study
CASCON '07 Proceedings of the 2007 conference of the center for advanced studies on Collaborative research
Data Mining Techniques for Building Fault-proneness Models in Telecom Java Software
ISSRE '07 Proceedings of the The 18th IEEE International Symposium on Software Reliability
Predicting Defective Software Components from Code Complexity Measures
PRDC '07 Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing
Predicting defect-prone software modules using support vector machines
Journal of Systems and Software
An anomaly intrusion detection method using the CSI-KNN algorithm
Proceedings of the 2008 ACM symposium on Applied computing
Security metrics for source code structures
Proceedings of the fourth international workshop on Software engineering for secure systems
An empirical model to predict security vulnerabilities using code complexity metrics
Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement
Is complexity really the enemy of software security?
Proceedings of the 4th ACM workshop on Quality of protection
Open Source Systems Security Certification
Open Source Systems Security Certification
Predicting faults using the complexity of code changes
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
Establishing and Monitoring SLAs in Complex Service Based Systems
ICWS '09 Proceedings of the 2009 IEEE International Conference on Web Services
Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?
Proceedings of the 2010 ACM Symposium on Applied Computing
Identification of defect-prone classes in telecommunication software systems using design metrics
Information Sciences: an International Journal
Random-Forests-Based Network Intrusion Detection Systems
IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
Predicting vulnerable software components with dependency graphs
Proceedings of the 6th International Workshop on Security Measurements and Metrics
Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox
Proceedings of the 6th International Workshop on Security Measurements and Metrics
After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
Security versus performance bugs: a case study on Firefox
Proceedings of the 8th Working Conference on Mining Software Repositories
Assessing maintainability metrics in software architectures using COSMIC and UML
ICCSA'12 Proceedings of the 12th international conference on Computational Science and Its Applications - Volume Part IV
A test-based security certification scheme for web services
ACM Transactions on the Web (TWEB)
An application of data envelopment analysis to software quality assessment
Proceedings of the 6th Balkan Conference in Informatics
Service vulnerability scanning based on service-oriented architecture in Web service environments
Journal of Systems Architecture: the EUROMICRO Journal
Hi-index | 0.00 |
Software security failures are common and the problem is growing. A vulnerability is a weakness in the software that, when exploited, causes a security failure. It is difficult to detect vulnerabilities until they manifest themselves as security failures in the operational stage of software, because security concerns are often not addressed or known sufficiently early during the software development life cycle. Numerous studies have shown that complexity, coupling, and cohesion (CCC) related structural metrics are important indicators of the quality of software architecture, and software architecture is one of the most important and early design decisions that influences the final quality of the software system. Although these metrics have been successfully employed to indicate software faults in general, there are no systematic guidelines on how to use these metrics to predict vulnerabilities in software. If CCC metrics can be used to indicate vulnerabilities, these metrics could aid in the conception of more secured architecture, leading to more secured design and code and eventually better software. In this paper, we present a framework to automatically predict vulnerabilities based on CCC metrics. To empirically validate the framework and prediction accuracy, we conduct a large empirical study on fifty-two releases of Mozilla Firefox developed over a period of four years. To build vulnerability predictors, we consider four alternative data mining and statistical techniques - C4.5 Decision Tree, Random Forests, Logistic Regression, and Naive-Bayes - and compare their prediction performances. We are able to correctly predict majority of the vulnerability-prone files in Mozilla Firefox, with tolerable false positive rates. Moreover, the predictors built from the past releases can reliably predict the likelihood of having vulnerabilities in the future releases. The experimental results indicate that structural information from the non-security realm such as complexity, coupling, and cohesion are useful in vulnerability prediction.