Combining software metrics and text features for vulnerable file prediction

Yun Zhang; David Lo; Xin Xia; Bowen Xu; Jianling Sun; Shanping Li

doi:10.1109/ICECCS.2015.15

Combining software metrics and text features for vulnerable file prediction

Yun Zhang, David Lo, Xin Xia, Bowen Xu, Jianling Sun, Shanping Li

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

18 Citations (Scopus)

Abstract

In recent years, to help developers reduce time and effort required to build highly secure software, a number of prediction models which are built on different kinds of features have been proposed to identify vulnerable source code files. In this paper, we propose a novel approach VULPREDICTOR to predict vulnerable files, it analyzes software metrics and text mining together to build a composite prediction model. VULPREDICTOR first builds 6 underlying classifiers on a training set of vulnerable and non-vulnerable files represented by their software metrics and text features, and then constructs a meta classifier to process the outputs of the 6 underlying classifiers. We evaluate our solution on datasets from three web applications including Drupal, PHPMyAdmin and Moodle which contain a total of 3,466 files and 223 vulnerabilities. The experiment results show that VULPREDICTOR can achieve F1 and EffectivenessRatio@20% scores of up to 0.683 and 75%, respectively. On average across the 3 projects, VULPREDICTOR improves the F1 and EffectivenessRatio@20% scores of the best performing state-of-the-art approaches proposed by Walden et al. by 46.53% and 14.93%, respectively.

Original language	English
Title of host publication	Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015
Subtitle of host publication	9–11 December 2015 Gold Coast, Australia
Editors	Yuan-Fang Li
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	40-49
Number of pages	10
ISBN (Electronic)	9781467385817
DOIs	https://doi.org/10.1109/ICECCS.2015.15
Publication status	Published - 2015
Externally published	Yes
Event	IEEE International Conference on Engineering of Complex Computer Systems 2015 - Gold Coast, Australia Duration: 9 Dec 2015 → 11 Dec 2015 Conference number: 20th http://iceccs2015.monash.edu.au/2015/index.jsp https://ieeexplore.ieee.org/xpl/conhome/7381588/proceeding (Proceedings)

Conference

Conference	IEEE International Conference on Engineering of Complex Computer Systems 2015
Abbreviated title	ICECCS 2015
Country/Territory	Australia
City	Gold Coast
Period	9/12/15 → 11/12/15
Internet address	http://iceccs2015.monash.edu.au/2015/index.jsp https://ieeexplore.ieee.org/xpl/conhome/7381588/proceeding (Proceedings)

Keywords

Machine Learning
Text Mining
Vulnerable File

Access to Document

10.1109/ICECCS.2015.15

Cite this

Zhang, Y., Lo, D., Xia, X., Xu, B., Sun, J., & Li, S. (2015). Combining software metrics and text features for vulnerable file prediction. In Y.-F. Li (Ed.), Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015: 9–11 December 2015 Gold Coast, Australia (pp. 40-49). Article 7384228 IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ICECCS.2015.15

Zhang, Yun ; Lo, David ; Xia, Xin et al. / Combining software metrics and text features for vulnerable file prediction. Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015: 9–11 December 2015 Gold Coast, Australia. editor / Yuan-Fang Li. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2015. pp. 40-49

@inproceedings{a7d05264c1904177a5f4074d2c36a379,

title = "Combining software metrics and text features for vulnerable file prediction",

abstract = "In recent years, to help developers reduce time and effort required to build highly secure software, a number of prediction models which are built on different kinds of features have been proposed to identify vulnerable source code files. In this paper, we propose a novel approach VULPREDICTOR to predict vulnerable files, it analyzes software metrics and text mining together to build a composite prediction model. VULPREDICTOR first builds 6 underlying classifiers on a training set of vulnerable and non-vulnerable files represented by their software metrics and text features, and then constructs a meta classifier to process the outputs of the 6 underlying classifiers. We evaluate our solution on datasets from three web applications including Drupal, PHPMyAdmin and Moodle which contain a total of 3,466 files and 223 vulnerabilities. The experiment results show that VULPREDICTOR can achieve F1 and EffectivenessRatio@20\% scores of up to 0.683 and 75\%, respectively. On average across the 3 projects, VULPREDICTOR improves the F1 and EffectivenessRatio@20\% scores of the best performing state-of-the-art approaches proposed by Walden et al. by 46.53\% and 14.93\%, respectively.",

keywords = "Machine Learning, Text Mining, Vulnerable File",

author = "Yun Zhang and David Lo and Xin Xia and Bowen Xu and Jianling Sun and Shanping Li",

year = "2015",

doi = "10.1109/ICECCS.2015.15",

language = "English",

pages = "40--49",

editor = "Li, \{Yuan-Fang \}",

booktitle = "Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

note = "IEEE International Conference on Engineering of Complex Computer Systems 2015, ICECCS 2015 ; Conference date: 09-12-2015 Through 11-12-2015",

url = "http://iceccs2015.monash.edu.au/2015/index.jsp, https://ieeexplore.ieee.org/xpl/conhome/7381588/proceeding",

}

Zhang, Y, Lo, D, Xia, X, Xu, B, Sun, J & Li, S 2015, Combining software metrics and text features for vulnerable file prediction. in Y-F Li (ed.), Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015: 9–11 December 2015 Gold Coast, Australia., 7384228, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 40-49, IEEE International Conference on Engineering of Complex Computer Systems 2015, Gold Coast, Queensland, Australia, 9/12/15. https://doi.org/10.1109/ICECCS.2015.15

Combining software metrics and text features for vulnerable file prediction. / Zhang, Yun; Lo, David; Xia, Xin et al.
Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015: 9–11 December 2015 Gold Coast, Australia. ed. / Yuan-Fang Li. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers, 2015. p. 40-49 7384228.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Combining software metrics and text features for vulnerable file prediction

AU - Zhang, Yun

AU - Lo, David

AU - Xia, Xin

AU - Xu, Bowen

AU - Sun, Jianling

AU - Li, Shanping

N1 - Conference code: 20th

PY - 2015

Y1 - 2015

N2 - In recent years, to help developers reduce time and effort required to build highly secure software, a number of prediction models which are built on different kinds of features have been proposed to identify vulnerable source code files. In this paper, we propose a novel approach VULPREDICTOR to predict vulnerable files, it analyzes software metrics and text mining together to build a composite prediction model. VULPREDICTOR first builds 6 underlying classifiers on a training set of vulnerable and non-vulnerable files represented by their software metrics and text features, and then constructs a meta classifier to process the outputs of the 6 underlying classifiers. We evaluate our solution on datasets from three web applications including Drupal, PHPMyAdmin and Moodle which contain a total of 3,466 files and 223 vulnerabilities. The experiment results show that VULPREDICTOR can achieve F1 and EffectivenessRatio@20% scores of up to 0.683 and 75%, respectively. On average across the 3 projects, VULPREDICTOR improves the F1 and EffectivenessRatio@20% scores of the best performing state-of-the-art approaches proposed by Walden et al. by 46.53% and 14.93%, respectively.

AB - In recent years, to help developers reduce time and effort required to build highly secure software, a number of prediction models which are built on different kinds of features have been proposed to identify vulnerable source code files. In this paper, we propose a novel approach VULPREDICTOR to predict vulnerable files, it analyzes software metrics and text mining together to build a composite prediction model. VULPREDICTOR first builds 6 underlying classifiers on a training set of vulnerable and non-vulnerable files represented by their software metrics and text features, and then constructs a meta classifier to process the outputs of the 6 underlying classifiers. We evaluate our solution on datasets from three web applications including Drupal, PHPMyAdmin and Moodle which contain a total of 3,466 files and 223 vulnerabilities. The experiment results show that VULPREDICTOR can achieve F1 and EffectivenessRatio@20% scores of up to 0.683 and 75%, respectively. On average across the 3 projects, VULPREDICTOR improves the F1 and EffectivenessRatio@20% scores of the best performing state-of-the-art approaches proposed by Walden et al. by 46.53% and 14.93%, respectively.

KW - Machine Learning

KW - Text Mining

KW - Vulnerable File

UR - https://www.scopus.com/pages/publications/84964876127

U2 - 10.1109/ICECCS.2015.15

DO - 10.1109/ICECCS.2015.15

M3 - Conference Paper

SP - 40

EP - 49

BT - Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015

A2 - Li, Yuan-Fang

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

T2 - IEEE International Conference on Engineering of Complex Computer Systems 2015

Y2 - 9 December 2015 through 11 December 2015

ER -

Zhang Y, Lo D, Xia X, Xu B, Sun J, Li S. Combining software metrics and text features for vulnerable file prediction. In Li YF, editor, Proceedings - 2015 20th International Conference on Engineering of Complex Computer Systems, ICECCS 2015: 9–11 December 2015 Gold Coast, Australia. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2015. p. 40-49. 7384228 doi: 10.1109/ICECCS.2015.15

Combining software metrics and text features for vulnerable file prediction

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this