Is Newer Always Better?: The Case of Vulnerability Prediction Models

Finding security vulnerabilities in the source code as early as possible is becoming more and more essential. In this respect, vulnerability prediction models have the potential to help the security assurance activities by identifying code locations that deserve the most attention. In this paper, we investigate whether prediction models behave like milk (i.e., they turn with time) or wine (i.e., the improve with time) when used to predict future vulnerabilities. Our findings indicate that the recall values are largely in favor of predictors based on older versions. However, the better recall comes at the price of much higher file inspection ratio values.

[1]  San Cristóbal Mateo,et al.  The Lack of A Priori Distinctions Between Learning Algorithms , 1996 .

[2]  Andreas Zeller,et al.  Predicting vulnerable software components , 2007, CCS '07.

[3]  Fabio Massacci,et al.  Which is the right source for vulnerability studies?: an empirical analysis on Mozilla Firefox , 2010, MetriSec '10.

[4]  Mohammad Zulkernine,et al.  Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities , 2011, J. Syst. Archit..

[5]  Laurie A. Williams,et al.  Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[6]  Laurie A. Williams,et al.  Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application Vulnerabilities , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[7]  Laurie A. Williams,et al.  Can traditional fault prediction models be used for vulnerability prediction? , 2011, Empirical Software Engineering.

[8]  Fabio Massacci,et al.  The (un)reliability of NVD vulnerable versions data: an empirical experiment on Google Chrome vulnerabilities , 2013, ASIA CCS '13.

[9]  Wouter Joosen,et al.  Predicting Vulnerable Software Components via Text Mining , 2014, IEEE Transactions on Software Engineering.

[10]  David H. Wolpert,et al.  The Lack of A Priori Distinctions Between Learning Algorithms , 1996, Neural Computation.