Evaluating micro patterns and software metrics in vulnerability prediction

Software security is an important aspect of ensuring software quality. Early detection of vulnerable code during development is essential for the developers to make cost and time effective software testing. The traditional software metrics are used for early detection of software vulnerability, but they are not directly related to code constructs and do not specify any particular granularity level. The goal of this study is to help developers evaluate software security using class-level traceable patterns called micro patterns to reduce security risks. The concept of micro patterns is similar to design patterns, but they can be automatically recognized and mined from source code. If micro patterns can better predict vulnerable classes compared to traditional software metrics, they can be used in developing a vulnerability prediction model. This study explores the performance of class-level patterns in vulnerability prediction and compares them with traditional class-level software metrics. We studied security vulnerabilities as reported for one major release of Apache Tomcat, Apache Camel and three stand-alone Java web applications. We used machine learning techniques for predicting vulnerabilities using micro patterns and class-level metrics as features. We found that micro patterns have higher recall in detecting vulnerable classes than the software metrics.

[1]  Markus Schumacher,et al.  Security Engineering with Patterns , 2003, Lecture Notes in Computer Science.

[2]  Colin J. Fidge,et al.  Security Metrics for Object-Oriented Class Designs , 2009, 2009 Ninth International Conference on Quality Software.

[3]  Kazi Zakia Sultana,et al.  A Preliminary Study Examining Relationships Between Nano-Patterns and Software Security Vulnerabilities , 2016, 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC).

[4]  Giuseppe Destefanis,et al.  Assessing sofware quality by micro patterns detection , 2013 .

[5]  Michaela Bunke,et al.  Software-security patterns: degree of maturity , 2015, EuroPLoP.

[6]  Chris F. Kemerer,et al.  A Metrics Suite for Object Oriented Design , 2015, IEEE Trans. Software Eng..

[7]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[8]  Hironori Washizaki,et al.  A survey on security patterns , 2008 .

[9]  อนิรุธ สืบสิงห์,et al.  Data Mining Practical Machine Learning Tools and Techniques , 2014 .

[10]  Itay Maman,et al.  Micro patterns in Java code , 2005, OOPSLA '05.

[11]  Indrajit Ray,et al.  To Fear or Not to Fear That is the Question: Code Characteristics of a Vulnerable Functionwith an Existing Exploit , 2016, CODASPY.

[12]  Shari Lawrence Pfleeger,et al.  Software Metrics : A Rigorous and Practical Approach , 1998 .

[13]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[14]  Kazi Zakia Sultana,et al.  Correlation Analysis among Java Nano-Patterns and Software Vulnerabilities , 2017, 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE).

[15]  Laurie A. Williams,et al.  An empirical model to predict security vulnerabilities using code complexity metrics , 2008, ESEM '08.

[16]  Kenneth R. van Wyk,et al.  Secure Coding: Principles and Practices , 2003 .

[17]  Francesca Arcelli Fontana,et al.  Metrics-based detection of micro patterns , 2010, WETSoM '10.

[18]  Laurie A. Williams,et al.  Can traditional fault prediction models be used for vulnerability prediction? , 2011, Empirical Software Engineering.

[19]  Mohammad Zulkernine,et al.  Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities? , 2010, SAC '10.

[20]  Riccardo Scandariato,et al.  Predicting Vulnerable Components: Software Metrics vs Text Mining , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[21]  Mohammad Zulkernine,et al.  Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities , 2011, J. Syst. Archit..

[22]  Sunghun Kim,et al.  Micro pattern evolution , 2006, MSR '06.

[23]  Anas N. Al-Rabadi,et al.  A comparison of modified reconstructability analysis and Ashenhurst‐Curtis decomposition of Boolean functions , 2004 .

[24]  Mark Lorenz,et al.  Object-oriented software metrics - a practical guide , 1994 .

[25]  Maurizio Morisio,et al.  Complexity Metrics Significance for Defects: An Empirical View , 2013, ICIT 2013.

[26]  David Lo,et al.  Combining Software Metrics and Text Features for Vulnerable File Prediction , 2015, 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS).

[27]  Michele Marchesi,et al.  Micro Pattern Fault-Proneness , 2012, 2012 38th Euromicro Conference on Software Engineering and Advanced Applications.