Development of a Software Vulnerability Prediction Web Service Based on Artificial Neural Networks

Detecting vulnerable components of a web application is an important activity to allocate verification resources effectively. Most of the studies proposed several vulnerability prediction models based on private and public datasets so far. In this study, we aimed to design and implement a software vulnerability prediction web service which will be hosted on Azure cloud computing platform. We investigated several machine learning techniques which exist in Azure Machine Learning Studio environment and observed that the best overall performance on three datasets is achieved when Multi-Layer Perceptron method is applied. Software metrics values are received from a web form and sent to the vulnerability prediction web service. Later, prediction result is computed and shown on the web form to notify the testing expert. Training models were built on datasets which include vulnerability data from Drupal, Moodle, and PHPMyAdmin projects. Experimental results showed that Artificial Neural Networks is a good alternative to build a vulnerability prediction model and building a web service for vulnerability prediction purpose is a good approach for complex systems.

[1]  Wouter Joosen,et al.  Predicting Vulnerable Software Components via Text Mining , 2014, IEEE Transactions on Software Engineering.

[2]  Riccardo Scandariato,et al.  Predicting Vulnerable Components: Software Metrics vs Text Mining , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[3]  Laurie A. Williams,et al.  An empirical model to predict security vulnerabilities using code complexity metrics , 2008, ESEM '08.

[4]  Viet Hung Nguyen,et al.  Predicting vulnerable software components with dependency graphs , 2010, MetriSec '10.

[5]  Andreas Zeller,et al.  Predicting vulnerable software components , 2007, CCS '07.

[6]  Laurie A. Williams,et al.  Challenges with applying vulnerability prediction models , 2015, HotSoS.

[7]  Yuming Zhou,et al.  Predicting Vulnerable Components via Text Mining or Software Metrics? An Effort-Aware Perspective , 2015, 2015 IEEE International Conference on Software Quality, Reliability and Security.

[8]  James Walden,et al.  Security of open source web applications , 2009, ESEM 2009.

[9]  David Lo,et al.  Combining Software Metrics and Text Features for Vulnerable File Prediction , 2015, 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS).

[10]  Mohammad Zulkernine,et al.  Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities , 2011, J. Syst. Archit..

[11]  Lionel C. Briand,et al.  Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning , 2015, IEEE Transactions on Dependable and Secure Computing.

[12]  Akbar Siami Namin,et al.  Predicting Vulnerable Software Components through N-Gram Analysis and Statistical Feature Selection , 2015, 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA).

[13]  Mourad Debbabi,et al.  MARFCAT: Fast code analysis for defects and vulnerabilities , 2015, 2015 IEEE 1st International Workshop on Software Analytics (SWAN).

[14]  Riccardo Scandariato,et al.  Predicting vulnerable classes in an Android application , 2012, MetriSec '12.

[15]  Laurie A. Williams,et al.  Can traditional fault prediction models be used for vulnerability prediction? , 2011, Empirical Software Engineering.

[16]  Lionel C. Briand,et al.  Mining SQL injection and cross site scripting vulnerabilities using hybrid program analysis , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[17]  Michael Gegick,et al.  Prioritizing software security fortification throughcode-level metrics , 2008, QoP '08.

[18]  Lwin Khin Shar,et al.  Predicting common web application vulnerabilities from input validation and sanitization code patterns , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[19]  Miles McQueen,et al.  Estimating Software Vulnerabilities: A Case Study Based on the Misclassification of Bugs in MySQL Server , 2013, 2013 International Conference on Availability, Reliability and Security.

[20]  Laurie A. Williams,et al.  Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[21]  Laurie A. Williams,et al.  Using SQL Hotspots in a Prioritization Heuristic for Detecting All Types of Web Application Vulnerabilities , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[22]  Ping Wang,et al.  Predicting and Fixing Vulnerabilities before They Occur: A Big Data Approach , 2016, 2016 IEEE/ACM 2nd International Workshop on Big Data Software Engineering (BIGDSE).

[23]  Jongmoon Baik,et al.  Improving vulnerability prediction accuracy with Secure Coding Standard violation measures , 2016, 2016 International Conference on Big Data and Smart Computing (BigComp).

[24]  Miguel Correia,et al.  Detecting and Removing Web Application Vulnerabilities with Static Analysis and Data Mining , 2016, IEEE Transactions on Reliability.

[25]  Miguel Correia,et al.  DEKANT: a static analysis tool that learns to detect web application vulnerabilities , 2016, ISSTA.

[26]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.