Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploring Complexity Metrics as Indicators of Software Vulnerability

Published byΙώ Αλεξόπουλος Modified over 5 years ago

Similar presentations

Presentation on theme: "Exploring Complexity Metrics as Indicators of Software Vulnerability"— Presentation transcript:

1 Exploring Complexity Metrics as Indicators of Software Vulnerability
Yonghee Shin Jason Froehlich October 29, 2008

2 Definitions Error – human mistake that causes fault in software
Fault – encoded human error that causes failure when executed Failure – deviation of a system from required behavior Vulnerability – weakness that makes it possible for potential security violation to occur

3 Study Objectives Does high complexity contribute to software vulnerability? What metrics can represent the complexity that leads to vulnerabilities? Do vulnerability fixes introduce more complexity?

4 Hypotheses More complex programs have more vulnerabilities.
Complexity metrics can predict vulnerabilities. Modules with vulnerabilities have different complexity than those with faults. Vulnerability fixes introduce more complexity.

5 Study Methodology Required Data Fault reports (Bugzilla)‏
Vulnerability reports (CVE, NVD)‏ Source code change history (CVS)‏ Model Building Statistical analysis – Logistic Regression Machine learning – decision tree, bagging, boosting, Naïve Bayes, Bayesian networks Evaluation Cross-validation, next release validation

6 Case Study JavaScript Engine in Mozilla
106 vulnerability bugs reported to Bugzilla Best metric - Nesting complexity low FP (0.9%), but high FN (88.0%)‏ need to develop better metrics

Download ppt "Exploring Complexity Metrics as Indicators of Software Vulnerability"

Similar presentations

On the application of GP for software engineering predictive modeling: A systematic review Expert systems with Applications, Vol. 38 no. 9, 2011 Wasif.

On the application of GP for software engineering predictive modeling: A systematic review Expert systems with Applications, Vol. 38 no. 9, 2011 Wasif.
Lecture 8: Testing, Verification and Validation

Lecture 8: Testing, Verification and Validation
Testing and Quality Assurance

Testing and Quality Assurance
D ON ’ T G ET K ICKED – M ACHINE L EARNING P REDICTIONS FOR C AR B UYING Albert Ho, Robert Romano, Xin Alice Wu – Department of Mechanical Engineering,

D ON ’ T G ET K ICKED – M ACHINE L EARNING P REDICTIONS FOR C AR B UYING Albert Ho, Robert Romano, Xin Alice Wu – Department of Mechanical Engineering,
An Analysis of Machine Learning Algorithms for Condensing Reverse Engineered Class Diagrams Hafeez Osman, Michel R.V. Chaudron and Peter van der Putten.

An Analysis of Machine Learning Algorithms for Condensing Reverse Engineered Class Diagrams Hafeez Osman, Michel R.V. Chaudron and Peter van der Putten.
MetriCon 2.0 Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail Michael Gegick, Laurie Williams North Carolina.

MetriCon 2.0 Correlating Automated Static Analysis Alert Density to Reported Vulnerabilities in Sendmail Michael Gegick, Laurie Williams North Carolina.
1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Case Studies Instructor Paulo Alencar.

1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Case Studies Instructor Paulo Alencar.
1 Predicting Bugs From History Software Evolution Chapter 4: Predicting Bugs from History T. Zimmermann, N. Nagappan, A Zeller.

1 Predicting Bugs From History Software Evolution Chapter 4: Predicting Bugs from History T. Zimmermann, N. Nagappan, A Zeller.
What causes bugs? Joshua Sunshine. Bug taxonomy Bug components: – Fault/Defect – Error – Failure Bug categories – Post/pre release – Process stage – Hazard.

What causes bugs? Joshua Sunshine. Bug taxonomy Bug components: – Fault/Defect – Error – Failure Bug categories – Post/pre release – Process stage – Hazard.
Analysis of CK Metrics “Empirical Analysis of Object-Oriented Design Metrics for Predicting High and Low Severity Faults” Yuming Zhou and Hareton Leung,

Analysis of CK Metrics “Empirical Analysis of Object-Oriented Design Metrics for Predicting High and Low Severity Faults” Yuming Zhou and Hareton Leung,
Prediction Basic concepts. Scope Prediction of:  Resources  Calendar time  Quality (or lack of quality)  Change impact  Process performance  Often.

Prediction Basic concepts. Scope Prediction of:  Resources  Calendar time  Quality (or lack of quality)  Change impact  Process performance  Often.
SE 450 Software Processes & Product Metrics Reliability: An Introduction.

SE 450 Software Processes & Product Metrics Reliability: An Introduction.
1 The Expected Performance Curve Samy Bengio, Johnny Mariéthoz, Mikaela Keller MI – 25. oktober 2007 Kresten Toftgaard Andersen.

1 The Expected Performance Curve Samy Bengio, Johnny Mariéthoz, Mikaela Keller MI – 25. oktober 2007 Kresten Toftgaard Andersen.
Software Process and Product Metrics

Software Process and Product Metrics
Machine Learning Usman Roshan Dept. of Computer Science NJIT.

Machine Learning Usman Roshan Dept. of Computer Science NJIT.
S Neuendorf 2004 Prediction of Software Defects SASQAG March 2004 by Steve Neuendorf.

S Neuendorf 2004 Prediction of Software Defects SASQAG March 2004 by Steve Neuendorf.
A Comparative Analysis of the Efficiency of Change Metrics and Static Code Attributes for Defect Prediction Raimund Moser, Witold Pedrycz, Giancarlo Succi.

A Comparative Analysis of the Efficiency of Change Metrics and Static Code Attributes for Defect Prediction Raimund Moser, Witold Pedrycz, Giancarlo Succi.
1 The Relationship of Cyclomatic Complexity, Essential Complexity and Error Rates Mike Chapman and Dan Solomon

1 The Relationship of Cyclomatic Complexity, Essential Complexity and Error Rates Mike Chapman and Dan Solomon
Software Reliability Growth. Three Questions Frequently Asked Just Prior to Release 1.Is this version of software ready for release (however “ready” is.

Software Reliability Growth. Three Questions Frequently Asked Just Prior to Release 1.Is this version of software ready for release (however “ready” is.
Software Testing Content Essence Terminology Classification –Unit, System … –BlackBox, WhiteBox Debugging IEEE Standards.

Software Testing Content Essence Terminology Classification –Unit, System … –BlackBox, WhiteBox Debugging IEEE Standards.

Similar presentations

Ads by Google