Vulnerability Prediction Model; Replication; Linux Kernel
Abstract :
[en] To assist the vulnerability identification process, researchers proposed prediction models that highlight (for inspection) the most likely to be vulnerable parts of a system. In this paper we aim at making a reliable replication and comparison of the main vulnerability prediction models. Thus, we seek for determining their effectiveness, i.e., their ability to distinguish between vulnerable and non-vulnerable components, in the context of the Linux Kernel, under different scenarios. To achieve the above-mentioned aims, we mined vulnerabilities reported in the National Vulnerability Database and created a large dataset with all vulnerable components of Linux from 2005 to 2016. Based on this, we then built and evaluated the prediction models. We observe that an approach based on the header files included and on function calls performs best when aiming at future vulnerabilities, while text mining is the best technique when aiming at random instances. We also found that models based on code metrics perform poorly. We show that in the context of the Linux kernel, vulnerability prediction models can be superior to random selection and relatively precise. Thus, we conclude that practitioners have a valuable tool for prioritizing their security inspection efforts.
Research center :
ULHPC - University of Luxembourg: High Performance Computing
Disciplines :
Computer science
Author, co-author :
Jimenez, Matthieu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Papadakis, Mike ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Le Traon, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
External co-authors :
no
Language :
English
Title :
Vulnerability Prediction Models: A case study on the Linux Kernel
Publication date :
October 2016
Event name :
16th IEEE International Working Conference on Source Code Analysis and Manipulation
Event date :
from 02-10-2016 to 03-10-2016
Audience :
International
Main work title :
16th IEEE International Working Conference on Source Code Analysis and Manipulation, SCAM 2016, Raleigh, US, October 2-3, 2016
M. Howard and S. Lipner, The Security Development Lifecycle. Redmond, WA, USA: Microsoft Press, 2006
G. McGraw, "Automated code review tools for security," IEEE Computer, vol. 41, no. 12, pp. 108-111, 2008
I. V. Krsul, "Software vulnerability analysis," Ph.D. dissertation, West Lafayette, IN, USA, 1998
National vulnerability database:. [Online]. Available: https://nvd.nist.gov
G. McGraw and B. Potter, "Software security testing," IEEE Security & Privacy, vol. 2, no. 5, pp. 81-85, 2004
J. Walden, J. Stuckman, and R. Scandariato, "Predicting Vulnerable Components: Software Metrics vs Text Mining," in ISSRE14, pp. 23-33
S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, "Predicting vulnerable software components," in CCS07, p. 529
Y. Shin, A. Meneely, L. Williams, and J. A. Osborne, "Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities," IEEE TSE, vol. 37, no. 6, pp. 772-787, Nov. 2011
R. Scandariato, J. Walden, A. Hovsepyan, and W. Joosen, "Predicting Vulnerable Software Components via Text Mining," IEEE TSE, vol. 40, no. 10, pp. 993-1006, Oct. 2014
P. Morrison, K. Herzig, B. Murphy, and L. Williams, "Challenges with applying vulnerability prediction models," in HotSoS15, 2015, pp. 4:1-4:9
T. Hall, S. Beecham, D. Bowes, D. Gray, and S. Counsell, "A systematic literature review on fault prediction performance in software engineering," IEEE Trans. Software Eng., vol. 38, no. 6, pp. 1276-1304, 2012
M. Gegick, L. Williams, J. Osborne, and M. Vouk, "Prioritizing software security fortification throughcode-level metrics," in QoP08, p. 31
Y. Shin and L. Williams, "Can traditional fault prediction models be used for vulnerability prediction?" Empirical Software Engineering, vol. 18, no. 1, pp. 25-59, Feb. 2013
T. Zimmermann, N. Nagappan, and L. Williams, "Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista," in ICST10, pp. 421-428
I. Chowdhury and M. Zulkernine, "Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?" in SAC10, p. 1963
--, "Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities," Journal of Systems Architecture, vol. 57, no. 3, pp. 294-313, 2011, special Issue on Security and Dependability Assurance of Software Architectures
V. H. Nguyen and L. M. S. Tran, "Predicting vulnerable software components with dependency graphs," in MetriSec10, pp. 3:1-3:8
H. Hata, O. Mizuno, and T. Kikuno, "Fault-prone module detection using large-scale text features based on spam filtering," Empirical Softw. Engg., vol. 15, no. 2, pp. 147-165, Apr. 2010
P. M. Domingos, "A few useful things to know about machine learning," Commun. ACM, vol. 55, no. 10, pp. 78-87, 2012
M. Jimenez, M. Papadakis, T. F. Bissyande, and J. Klein, "Profiling android vulnerabilities," in QRS16. IEEE, 2016
B. Smith and L. Williams, "Using SQL hotspots in a prioritization heuristic for detecting all types of web application vulnerabilities," in ICST11
M. Gegick, P. Rotella, and L. Williams, "Predicting Attack-prone Components," in ICST09. IEEE, pp. 181-190
ESSoS09, ch. Toward Non-security Failures as a Predictor of Security Faults and Failures, pp. 135-149
I. Kononenko, "On biases in estimating multi-valued attributes," in IJCAI95, pp. 1034-1040
B. Matthews, "Comparison of the predicted and observed secondary structure of t4 phage lysozyme," Biochimica et Biophysica Acta (BBA)- Protein Structure, vol. 405, no. 2, pp. 442-451, 1975
S. Varrette, P. Bouvry, H. Cartiaux, and F. Georgatos, "Management of an academic hpc cluster: The ul experience," in Proc. of the 2014 Intl. Conf. on High Performance Computing & Simulation (HPCS 2014). Bologna, Italy: IEEE, July 2014, pp. 959-967
