{"title":"An Automatic Software Vulnerability Classification Framework","authors":"Maryam Davari, Mohammad Zulkernine, Fehmi Jaafar","doi":"10.1109/ICSSA.2017.27","DOIUrl":null,"url":null,"abstract":"Security defects are common in large software systems because of their size and complexity. Although efficient development processes, testing, and maintenance policies are applied to software systems, there are still a large number of vulnerabilities that can remain, despite these measures. Developers need to know more about characteristics and types of residual vulnerabilities in systems to adopt suitable countermeasures in current and next versions. We propose an automatic vulnerability classification framework based on conditions that activate vulnerabilities with the goal of helping developers to design appropriate corrective actions (the most costly part of the development and maintenance phases). Different machine learning techniques (Random Forest, C4.5 Decision Tree, Logistic Regression, and Naive Bayes) are employed to construct a classifier with the highest F-measure in labelling an unseen vulnerability by the framework. We evaluate the effectiveness of the classification by analysing 580 software security defects of the Firefox project. The achieved results show that C4.5 Decision Tree is able to identify the category of unseen vulnerabilities with 69% F-measure.","PeriodicalId":307280,"journal":{"name":"2017 International Conference on Software Security and Assurance (ICSSA)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2017-07-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 International Conference on Software Security and Assurance (ICSSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICSSA.2017.27","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 12
Abstract
Security defects are common in large software systems because of their size and complexity. Although efficient development processes, testing, and maintenance policies are applied to software systems, there are still a large number of vulnerabilities that can remain, despite these measures. Developers need to know more about characteristics and types of residual vulnerabilities in systems to adopt suitable countermeasures in current and next versions. We propose an automatic vulnerability classification framework based on conditions that activate vulnerabilities with the goal of helping developers to design appropriate corrective actions (the most costly part of the development and maintenance phases). Different machine learning techniques (Random Forest, C4.5 Decision Tree, Logistic Regression, and Naive Bayes) are employed to construct a classifier with the highest F-measure in labelling an unseen vulnerability by the framework. We evaluate the effectiveness of the classification by analysing 580 software security defects of the Firefox project. The achieved results show that C4.5 Decision Tree is able to identify the category of unseen vulnerabilities with 69% F-measure.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
