Exploring Complexity Metrics as Indicators of Software Vulnerability

Slides:

Advertisements

Similar presentations

On the application of GP for software engineering predictive modeling: A systematic review Expert systems with Applications, Vol. 38 no. 9, 2011 Wasif.

Advertisements

Lecture 8: Testing, Verification and Validation

Testing and Quality Assurance

D ON ’ T G ET K ICKED – M ACHINE L EARNING P REDICTIONS FOR C AR B UYING Albert Ho, Robert Romano, Xin Alice Wu – Department of Mechanical Engineering,

An Analysis of Machine Learning Algorithms for Condensing Reverse Engineered Class Diagrams Hafeez Osman, Michel R.V. Chaudron and Peter van der Putten.

MetriCon 2.0 Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail Michael Gegick, Laurie Williams North Carolina.

1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Case Studies Instructor Paulo Alencar.

1 Predicting Bugs From History Software Evolution Chapter 4: Predicting Bugs from History T. Zimmermann, N. Nagappan, A Zeller.

What causes bugs? Joshua Sunshine. Bug taxonomy Bug components: – Fault/Defect – Error – Failure Bug categories – Post/pre release – Process stage – Hazard.

Analysis of CK Metrics “Empirical Analysis of Object-Oriented Design Metrics for Predicting High and Low Severity Faults” Yuming Zhou and Hareton Leung,

Prediction Basic concepts. Scope Prediction of:  Resources  Calendar time  Quality (or lack of quality)  Change impact  Process performance  Often.

SE 450 Software Processes & Product Metrics Reliability: An Introduction.

1 The Expected Performance Curve Samy Bengio, Johnny Mariéthoz, Mikaela Keller MI – 25. oktober 2007 Kresten Toftgaard Andersen.

Software Process and Product Metrics

Machine Learning Usman Roshan Dept. of Computer Science NJIT.

S Neuendorf 2004 Prediction of Software Defects SASQAG March 2004 by Steve Neuendorf.

A Comparative Analysis of the Efficiency of Change Metrics and Static Code Attributes for Defect Prediction Raimund Moser, Witold Pedrycz, Giancarlo Succi.

1 The Relationship of Cyclomatic Complexity, Essential Complexity and Error Rates Mike Chapman and Dan Solomon

Software Reliability Growth. Three Questions Frequently Asked Just Prior to Release 1.Is this version of software ready for release (however “ready” is.

Software Testing Content Essence Terminology Classification –Unit, System … –BlackBox, WhiteBox Debugging IEEE Standards.

1. Topics to be discussed Introduction Objectives Testing Life Cycle Verification Vs Validation Testing Methodology Testing Levels 2.

Last Words COSC Big Data (frameworks and environments to analyze big datasets) has become a hot topic; it is a mixture of data analysis, data mining,

IIT Indore © Neminah Hubballi

CS4723 Software Validation and Quality Assurance

Validation Metrics. Metrics are Needed to Answer the Following Questions How much time is required to find bugs, fix them, and verify that they are fixed?

ANALYTICS BUSINESS INTELLIGENCE SOFTWARE STATISTICS Kreara Solutions | 9 years | 60 members | ISO 9001:2008.

Machine Learning1 Machine Learning: Summary Greg Grudic CSCI-4830.

Software Metrics - Data Collection What is good data? Are they correct? Are they accurate? Are they appropriately precise? Are they consist? Are they associated.

Adam L. Jacobs, CISSP Principal Program Manager, Oracle 15/16 November 2005 Why is Commercial Software So Vulnerable (and How Can We Fix It)?

Security of Open Source Web Applications Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements:

Scalable Statistical Bug Isolation Authors: B. Liblit, M. Naik, A.X. Zheng, A. Aiken, M. I. Jordan Presented by S. Li.

A Validation of Object-Oriented Design Metrics As Quality Indicators Basili et al. IEEE TSE Vol. 22, No. 10, Oct. 96.

Software Metrics and Reliability. Definitions According to ANSI, “ Software Reliability is defined as the probability of failure – free software operation.

Loan Default Model Saed Sayad 1www.ismartsoft.com.

Last Words DM 1. Mining Data Steams / Incremental Data Mining / Mining sensor data (e.g. modify a decision tree assuming that new examples arrive continuously,

M Global Software Group 1 Motorola Internal Use Only Better Software Quality at a Lower Cost: Testing to Eliminate Software Black Holes Isaac (Haim) Levendel,

Software Metrics Cmpe 550 Fall Software Metrics.

THE IRISH SOFTWARE ENGINEERING RESEARCH CENTRELERO© What we currently know about software fault prediction: A systematic review of the fault prediction.

Classification Derek Hoiem CS 598, Spring 2009 Jan 27, 2009.

Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.

Maureen Doyle, James Walden Northern Kentucky University Students: Grant Welch, Michael Whelan Acknowledgements: Dhanuja Kasturiratna.

CSc 461/561 Information Systems Engineering Lecture 5 – Software Metrics.

Using Social Network Analysis Methods for the Prediction of Faulty Components Gholamreza Safi.

October 2-3, 2015, İSTANBUL Boğaziçi University Prof.Dr. M.Erdal Balaban Istanbul University Faculty of Business Administration Avcılar, Istanbul - TURKEY.

Chapter 8 Testing. Principles of Object-Oriented Testing Å Object-oriented systems are built out of two or more interrelated objects Å Determining the.

+ Moving Targets: Security and Rapid-Release in Firefox Presented by Carlos Bernal-Cárdenas.

COMP24111: Machine Learning Ensemble Models Gavin Brown

Hussein Alhashimi. “If you can’t measure it, you can’t manage it” Tom DeMarco,

TESTING FUNDAMENTALS BY K.KARTHIKEYAN.

NTU & MSRA Ming-Feng Tsai

 Software Testing Software Testing  Characteristics of Testable Software Characteristics of Testable Software  A Testing Life Cycle A Testing Life.

Quality Assessment based on Attribute Series of Software Evolution Paper Presentation for CISC 864 Lionel Marks.

Defect Prediction using Smote & GA 1 Dr. Abdul Rauf.

Enhancing Tor’s Performance using Real- time Traffic Classification By Hugo Bateman.

Machine Learning Usman Roshan Dept. of Computer Science NJIT.

Experience Report: System Log Analysis for Anomaly Detection

Software Defects Cmpe 550 Fall 2005

Software Dependability

Software Metrics and Reliability

Software Reliability Definition: The probability of failure-free operation of the software for a specified period of time in a specified environment.

COMP61011 : Machine Learning Ensemble Models

آشنايی با اصول و پايه های يک آزمايش

Tutorial for LightSIDE

Predict Failures with Developer Networks and Social Network Analysis

Progression of Test Categories

Ben Smith and Laurie Williams

Recitation 10 Oznur Tastan

White Box testing & Inspections

Derek Hoiem CS 598, Spring 2009 Jan 27, 2009

Presentation transcript:

Exploring Complexity Metrics as Indicators of Software Vulnerability Yonghee Shin Jason Froehlich October 29, 2008

Definitions Error – human mistake that causes fault in software Fault – encoded human error that causes failure when executed Failure – deviation of a system from required behavior Vulnerability – weakness that makes it possible for potential security violation to occur

Study Objectives Does high complexity contribute to software vulnerability? What metrics can represent the complexity that leads to vulnerabilities? Do vulnerability fixes introduce more complexity?

Hypotheses More complex programs have more vulnerabilities. Complexity metrics can predict vulnerabilities. Modules with vulnerabilities have different complexity than those with faults. Vulnerability fixes introduce more complexity.

Study Methodology Required Data Fault reports (Bugzilla)‏ Vulnerability reports (CVE, NVD)‏ Source code change history (CVS)‏ Model Building Statistical analysis – Logistic Regression Machine learning – decision tree, bagging, boosting, Naïve Bayes, Bayesian networks Evaluation Cross-validation, next release validation

Case Study JavaScript Engine in Mozilla 106 vulnerability bugs reported to Bugzilla Best metric - Nesting complexity low FP (0.9%), but high FN (88.0%)‏ need to develop better metrics