Vulnerable Code Detection Using Software Metrics and Machine Learning
作者: Nadia Medeiros , Naghmeh Ivaki , Pedro Costa , Marco Vieira
DOI: 10.1109/ACCESS.2020.3041181
关键词:
摘要: Software metrics are widely-used indicators of software quality and several studies have shown that such can be used to estimate the presence vulnerabilities in code. In this paper, we present a comprehensive experiment study how effective distinguish vulnerable code units from non-vulnerable ones. To end, use machine learning algorithms (Random Forest, Extreme Boosting, Decision Tree, SVM Linear, Radial) extract vulnerability-related knowledge collected source representative projects developed C/C++ (Mozilla Firefox, Linux Kernel, Apache HTTPd, Xen, Glibc). We consider different combinations diverse application scenarios with security concerns (e.g., highly critical or non-critical systems). This contributes understanding whether effectively scenarios, help regard. The main observation is using on top helps indicate relatively high level confidence for security-critical systems (where focus detecting maximum number vulnerabilities, even if false positives reported), but they not helpful low-critical due (that bring an additional development cost frequently affordable).
sci-hub.st 参考文章(65)
Kristian Beckers, Isabelle Côté, Stefan Fenz, Denis Hatebur, Maritta Heisel, A Structured Comparison of Security Standards Engineering Secure Future Internet Services and Systems. pp. 1- 34 ,(2014) , 10.1007/978-3-319-07452-8_1
Mark G. Graff, Kenneth R. Van Wyk, Secure Coding: Principles and Practices ,(2003)
Nuno Antunes, Marco Vieira, On the Metrics for Benchmarking Vulnerability Detection Tools 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. pp. 505- 516 ,(2015) , 10.1109/DSN.2015.30
Israel Cohen, Yiteng Huang, Jingdong Chen, Jacob Benesty, Jacob Benesty, Jingdong Chen, Yiteng Huang, Israel Cohen, None, Pearson Correlation Coefficient Springer, Berlin, Heidelberg. pp. 1- 4 ,(2009) , 10.1007/978-3-642-00296-0_5
Eric A. Brewer, Alexander Aiken, David A. Wagner, Jeffrey S. Foster, A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities. network and distributed system security symposium. ,(2000)
Daniel Galin, Software Quality Assurance: From Theory to Implementation ,(2003)
Hanmeet Kaur, Puneet Jai, Comparing Detection Ratio of Three Static Analysis Tools International Journal of Computer Applications. ,vol. 124, pp. 35- 40 ,(2015) , 10.5120/IJCA2015905749
Sara Moshtari, Ashkan Sami, Mahdi Azimi, Using complexity metrics to improve software security Computer Fraud & Security. ,vol. 2013, pp. 8- 17 ,(2013) , 10.1016/S1361-3723(13)70045-9
Yonghee Shin, Laurie Williams, An initial study on the use of execution complexity metrics as indicators of software vulnerabilities Proceeding of the 7th international workshop on Software engineering for secure systems - SESS '11. pp. 1- 7 ,(2011) , 10.1145/1988630.1988632
Stephan Dreiseitl, Lucila Ohno-Machado, Logistic regression and artificial neural network classification models: a methodology review Journal of Biomedical Informatics. ,vol. 35, pp. 352- 359 ,(2002) , 10.1016/S1532-0464(03)00034-0