Vulnerability Prediction Models: A Case Study on the Linux Kernel

Jiménez, M.; Papadakis, Mike; Traon, Yves Le

doi:10.1109/scam.2016.15

Cited by 35 publications

(30 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Jimenez et al [22] carried out an empirical study comparing the vulnerability prediction approaches using a dataset of 743 vulnerabilities from the Linux Kernel (which was split into independent training and evaluation data sets) and found that function calls and text mining were the best performing approaches. Although related, Jimenez et al used a commit-based analysis for only one system (while herein we use a release-based one for three systems) and does not investigate the impact of data leakage.…”

Section: Related Workmentioning

confidence: 99%

The importance of accounting for real-world labelling when predicting software vulnerabilities

Jiménez

Rwemalika

Papadakis

et al. 2019

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of

Self Cite

View full text Add to dashboard Cite

Previous work on vulnerability prediction assume that predictive models are trained with respect to perfect labelling information (includes labels from future, as yet undiscovered vulnerabilities). In this paper we present results from a comprehensive empirical study of 1,898 real-world vulnerabilities reported in 74 releases of three security-critical open source systems (Linux Kernel, OpenSSL and Wiresark). Our study investigates the effectiveness of three previously proposed vulnerability prediction approaches, in two settings: with and without the unrealistic labelling assumption. The results reveal that the unrealistic labelling assumption can profoundly mislead the scientific conclusions drawn; suggesting highly effective and deployable prediction results vanish when we fully account for realistically available labelling in the experimental methodology. More precisely, MCC mean values of predictive effectiveness drop from 0.77, 0.65 and 0.43 to 0.08, 0.22, 0.10 for Linux Kernel, OpenSSL and Wiresark, respectively. Similar results are also obtained for precision, recall and other assessments of predictive efficacy. The community therefore needs to upgrade experimental and empirical methodology for vulnerability prediction evaluation and development to ensure robust and actionable scientific findings. CCS CONCEPTS • Software and its engineering → Software defect analysis.

show abstract

Section: Related Workmentioning

confidence: 99%

The importance of accounting for real-world labelling when predicting software vulnerabilities

Jiménez

Rwemalika

Papadakis

et al. 2019

Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of

Self Cite

View full text Add to dashboard Cite

show abstract

“…Although it is a relatively new area of research, a great number of VPMs has already been proposed in the related literature. As stated in [9], the main VPMs that can be found in the literature utilize software metrics [13][14][15][16][17][18][19][20][21][22], text mining [23][24][25][26][27][28], and security-related static analysis alerts [10,[29][30][31][32]] to predict vulnerabilities. These types of VPMs are analyzed in the rest of this section.…”

Section: Vulnerability Prediction Modelingmentioning

confidence: 99%

“…Finally, different empirical studies have shown that text mining-based models exhibit better predictive performance in comparison to other state-of-the-art techniques [9,33,34]. However, they perform poorly in cross-project prediction, which indicates that they are highly projectspecific [33], while excessive amount of time and memory is required for their construction and regular application [9,34].…”

Section: Vulnerability Prediction Modelingmentioning

confidence: 99%

See 1 more Smart Citation

Static Analysis-Based Approaches for Secure Software Development

Siavvas

Gelenbe

Kehagias

et al. 2018

Communications in Computer and Information Science

View full text Add to dashboard Cite

Abstract. Software security is a matter of major concern for software development enterprises that wish to deliver highly secure software products to their customers. Static analysis is considered one of the most effective mechanisms for adding security to software products. The multitude of static analysis tools that are available provide a large number of raw results that may contain security-relevant information, which may be useful for the production of secure software. Several mechanisms that can facilitate the production of both secure and reliable software applications have been proposed over the years. In this paper, two such mechanisms, particularly the vulnerability prediction models (VPMs) and the optimum checkpoint recommendation (OCR) mechanisms, are theoretically examined, while their potential improvement by using static analysis is also investigated. In particular, we review the most significant contributions regarding these mechanisms, identify their most important open issues, and propose directions for future research, emphasizing on the potential adoption of static analysis for addressing the identified open issues. Hence, this paper can act as a reference for researchers that wish to contribute in these subfields, in order to gain solid understanding of the existing solutions and their open issues that require further research.

show abstract

“…Compared with the other vulnerability analysis techniques (e.g., [11,12]), VPM is used as a guidance before security testing. At present, a lot of VPMs have been proposed [6][7][8][9][10][11][12][13][14][15][16][17][18][19]. Software metrics are utilized as features in these VPMs, and the training data are obtained from public vulnerabilities database.…”

Section: Introductionmentioning

confidence: 99%

Vulnerability Prediction Based on Weighted Software Network for Secure Software Building

Wei

Zhong

Shan

et al. 2018

2018 IEEE Global Communications Conference (GLOBECOM)

View full text Add to dashboard Cite

To build a secure communications software, Vulnerability Prediction Models (VPMs) are used to predict vulnerable software modules in the software system before software security testing. At present many software security metrics have been proposed to design a VPM. In this paper, we predict vulnerable classes in a software system by establishing the system's weighted software network. The metrics are obtained from the nodes' attributes in the weighted software network. We design and implement a crawler tool to collect all public security vulnerabilities in Mozilla Firefox. Based on these data, the prediction model is trained and tested. The results show that the VPM based on weighted software network has a good performance in accuracy, precision, and recall. Compared to other studies, it shows that the performance of prediction has been improved greatly in Pr and Re.

show abstract

Vulnerability Prediction Models: A Case Study on the Linux Kernel

Cited by 35 publications

References 23 publications

The importance of accounting for real-world labelling when predicting software vulnerabilities

The importance of accounting for real-world labelling when predicting software vulnerabilities

Static Analysis-Based Approaches for Secure Software Development

Vulnerability Prediction Based on Weighted Software Network for Secure Software Building

Contact Info

Product

Resources

About