Gul Jabeen,Xi Yang,Ping Luo

DOI: https://doi.org/10.1504/ijics.2021.116302

2021-01-01

Abstract:Software vulnerabilities primarily constitute security risks. Commonalities between faults and vulnerabilities prompt developers to utilise traditional fault prediction models and metrics for vulnerability prediction. Although traditional models can predict the number of vulnerabilities and their occurrence time, they fail to accurately determine the seriousness of vulnerabilities, impacts, and severity level. To address these deficits, we propose a method for predicting software vulnerabilities based on a Markov chain model, which offers a more comprehensive descriptive model with the potential to accurately predict vulnerability type, i.e., the seriousness of the vulnerabilities. The experiments are performed using real vulnerability data of three types of popular software: Windows 10, Adobe Flash Player and Firefox. Our model is shown to produce accurate predictive results.

Wang Fan,Yang Xiaohu,Zhu Xiaochun,Chen Lu

DOI: https://doi.org/10.1109/tencon.2009.5395821

2009-01-01

Abstract:Most of projects' cost exceeds 10% of yearly corporations' turnover, a major factor contributing to this loss is the overrun cost of software testing. A lot of events during software Quality Assurance(QA) cycles, the main execution part of testing process, lead the loss. Therefore, there is a great potential benefit to find a way to predict the loss when the risk events arise or when we know they will happen during the QA cycles. In this paper, a model is proposed to solve the above problem via Bayesian Belief Network (BBN), in this model, five independent factors, which may lead the loss in software testing, are extracted by exploring the historical documents and questionnaires back from QA managers, and they are used to classify the loss of the QA effort, and predict the probability distribution of the loss, the mean of the distribution is defined as the predicated loss. The model is proved effective according to the data collected from 45 delayed QA cycles.

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Yun Zhang,David Lo,Xin Xia,Bowen Xu,Jianling Sun,Shanping Li

DOI: https://doi.org/10.1109/ICECCS.2015.15

2015-01-01

Abstract:In recent years, to help developers reduce time and effort required to build highly secure software, a number of prediction models which are built on different kinds of features have been proposed to identify vulnerable source code files. In this paper, we propose a novel approach VULPREDICTOR to predict vulnerable files, it analyzes software metrics and text mining together to build a composite prediction model. VULPREDICTOR first builds 6 underlying classifiers on a training set of vulnerable and non-vulnerable files represented by their software metrics and text features, and then constructs a meta classifier to process the outputs of the 6 underlying classifiers. We evaluate our solution on datasets from three web applications including Drupal, PHPMyAdmin and Moodle which contain a total of 3,466 files and 223 vulnerabilities. The experiment results show that VULPREDICTOR can achieve F1 and EffectivenessRatio@20% scores of up to 0.683 and 75%, respectively. On average across the 3 projects, VULPREDICTOR improves the F1 and EffectivenessRatio@20% scores of the best performing state-of-the-art approaches proposed by Walden et al. by 46.53% and 14.93%, respectively.

Tianjun Zhu,Xiaoxuan Yin,Zhenfeng Wang,Dong Wang,Fei Li,Wang Xinyu,Ma Wei,Zheng Wang

DOI: https://doi.org/10.4271/2020-01-0701

2020-01-01

SAE International Journal of Advances and Current Practices in Mobility

Abstract:The study of heavy vehicles rollover prediction, especially in algorithm-based heavy vehicles active safety control for improving road handling, is a challenging task for the heavy vehicle industry. Due to the high fatality rate caused by vehicle rollover, how to precisely and effectively predict the rollover of heavy vehicles became a hot topic in both academia and industry. Because of the strong non-linear characteristics of Human-Vehicle-Road interaction and the uncertainty of modeling, the traditional deterministic method cannot predict the rollover hazard of heavy vehicles accurately. To deal with the above issues, this paper applies a probability method of uncertainty to the design of a dynamic rollover prediction algorithm for heavy vehicles and proposes a novel algorithm for predicting the rollover hazard based on the combined empirical model of reliability index and failure probability. Moreover, the paper establishes a classification model of heavy vehicles based on the support vector machine (SVM) and uses the Monte Carlo method to calculate the failure probability of rollover limit state of heavy vehicles. The fishhook, double lane change, and slalom maneuver tests of heavy vehicles are used to predict and validate the proposed algorithm in real-time. The simulation results show that the rollover prediction method based on failure probability is accurate and real-time, and can effectively improve the rollover prediction accuracy. Meanwhile, the proposed approach reduces the external interference of strong non-linear characteristics of Human-Vehicle-Road interaction and the uncertainty of the modeling to the system, thus significantly improving the prediction accuracy of active safety performance of heavy vehicles.

Jinkun Geng,Daren Ye,Ping Luo

DOI: https://doi.org/10.1007/978-3-319-27161-3_13

2015-01-01

Abstract:Vulnerabilities usually represents the risk level of software, therefore, it is of high value to predict vulnerabilities so as to evaluate the security level of software. Current researches mainly focus on predicting the number of vulnerabilities or the occurrence time of vulnerabilities, however, to our best knowledge, there are no other researches focusing on the prediction of vulnerabilities' severity, which we think is an important aspect reflecting vulnerabilities and software security. To compensate for this deficiency, we propose a novel method based on grey system theory to predict the severity of vulnerabilities. The experiment is carried on the real data collected from CVE and proves the feasibility of our predicting method.

Shuang Wu,Congyi Wang,Jianping Zeng,Chengrong Wu

DOI: https://doi.org/10.1109/asid50160.2020.9271730

2020-01-01

Abstract:Vulnerabilities have been widely exploited to launch various cyberattacks, and become one of the most popular network security problems. Several kinds of research on vulnerabilities have been carried out, such as, mining vulnerability, tracing vulnerability, forecasting vulnerability, and so on. Vulnerability forecasting models make the prediction of zero-day vulnerabilities possible, hence they can help us learn more about the number of vulnerabilities in future days and take defence measures in advance. However, most of these models stem from statistics, which cannot adapt to our application scenario very well. Unlike traditional statistical methods, we propose a vulnerability forecasting method based on multivariable LSTM and carry on experiments on the NVD data set. In comparison with ARIMA, our method perform better in number prediction of vulnerabilities.

Jinkun Geng,Daren Ye,Ping Luo

DOI: https://doi.org/10.1109/IAEAC.2015.7428572

2015-01-01

Abstract:Vulnerabilities usually represents the risk level of software, and it is of high value to forecast vulnerabilities so as to evaluate the security level of software. Current researches mainly focus on predicting the number of vulnerabilities or the occurrence time of vulnerabilities, however, to our best knowledge, there are no other researches focusing on the prediction of vulnerabilities' severity, which we think is an important aspect reflecting vulnerabilities and software security. To compensate for this deficiency, we borrows the grey model GM(1,1) from grey system theory to forecast the severity of vulnerabilities. The experiment is carried on the real data collected from CVE and proves the feasibility of our predicting method.

Mohammad Shamsul Hoque,Norziana Jamil,Nowshad Amin,Kwok-Yan Lam

DOI: https://doi.org/10.3390/s21124220

IF: 3.9

2021-06-20

Sensors

Abstract:Successful cyber-attacks are caused by the exploitation of some vulnerabilities in the software and/or hardware that exist in systems deployed in premises or the cloud. Although hundreds of vulnerabilities are discovered every year, only a small fraction of them actually become exploited, thereby there exists a severe class imbalance between the number of exploited and non-exploited vulnerabilities. The open source national vulnerability database, the largest repository to index and maintain all known vulnerabilities, assigns a unique identifier to each vulnerability. Each registered vulnerability also gets a severity score based on the impact it might inflict upon if compromised. Recent research works showed that the cvss score is not the only factor to select a vulnerability for exploitation, and other attributes in the national vulnerability database can be effectively utilized as predictive feature to predict the most exploitable vulnerabilities. Since cybersecurity management is highly resource savvy, organizations such as cloud systems will benefit when the most likely exploitable vulnerabilities that exist in their system software or hardware can be predicted with as much accuracy and reliability as possible, to best utilize the available resources to fix those first. Various existing research works have developed vulnerability exploitation prediction models by addressing the existing class imbalance based on algorithmic and artificial data resampling techniques but still suffer greatly from the overfitting problem to the major class rendering them practically unreliable. In this research, we have designed a novel cost function feature to address the existing class imbalance. We also have utilized the available large text corpus in the extracted dataset to develop a custom-trained word vector that can better capture the context of the local text data for utilization as an embedded layer in neural networks. Our developed vulnerability exploitation prediction models powered by a novel cost function and custom-trained word vector have achieved very high overall performance metrics for accuracy, precision, recall, F1-Score and AUC score with values of 0.92, 0.89, 0.98, 0.94 and 0.97, respectively, thereby outperforming any existing models while successfully overcoming the existing overfitting problem for class imbalance.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Benjamin L. Bullough,Anna K. Yanchenko,Christopher L. Smith,Joseph R. Zipkin

DOI: https://doi.org/10.1145/3041008.3041009

2017-07-25

Abstract:Each year, thousands of software vulnerabilities are discovered and reported to the public. Unpatched known vulnerabilities are a significant security risk. It is imperative that software vendors quickly provide patches once vulnerabilities are known and users quickly install those patches as soon as they are available. However, most vulnerabilities are never actually exploited. Since writing, testing, and installing software patches can involve considerable resources, it would be desirable to prioritize the remediation of vulnerabilities that are likely to be exploited. Several published research studies have reported moderate success in applying machine learning techniques to the task of predicting whether a vulnerability will be exploited. These approaches typically use features derived from vulnerability databases (such as the summary text describing the vulnerability) or social media posts that mention the vulnerability by name. However, these prior studies share multiple methodological shortcomings that inflate predictive power of these approaches. We replicate key portions of the prior work, compare their approaches, and show how selection of training and test data critically affect the estimated performance of predictive models. The results of this study point to important methodological considerations that should be taken into account so that results reflect real-world utility.

Cryptography and Security,Applications,Machine Learning

Triet H. M. Le,Xiaoning Du,M. Ali Babar

2024-01-20

Abstract:Collecting relevant and high-quality data is integral to the development of effective Software Vulnerability (SV) prediction models. Most of the current SV datasets rely on SV-fixing commits to extract vulnerable functions and lines. However, none of these datasets have considered latent SVs existing between the introduction and fix of the collected SVs. There is also little known about the usefulness of these latent SVs for SV prediction. To bridge these gaps, we conduct a large-scale study on the latent vulnerable functions in two commonly used SV datasets and their utilization for function-level and line-level SV predictions. Leveraging the state-of-the-art SZZ algorithm, we identify more than 100k latent vulnerable functions in the studied datasets. We find that these latent functions can increase the number of SVs by 4x on average and correct up to 5k mislabeled functions, yet they have a noise level of around 6%. Despite the noise, we show that the state-of-the-art SV prediction model can significantly benefit from such latent SVs. The improvements are up to 24.5% in the performance (F1-Score) of function-level SV predictions and up to 67% in the effectiveness of localizing vulnerable lines. Overall, our study presents the first promising step toward the use of latent SVs to improve the quality of SV datasets and enhance the performance of SV prediction tasks.

Software Engineering,Cryptography and Security,Machine Learning

Carlos E. Budde,Ranindya Paramitha,Fabio Massacci

2024-11-18

Abstract:Software security mainly studies vulnerability detection: is my code vulnerable today? This hinders risk estimation, so new approaches are emerging to forecast the occurrence of future vulnerabilities. While useful, these approaches are coarse-grained and hard to employ for project-specific technical decisions. We introduce a model capable of vulnerability forecasting at library level. Formalising source-code evolution in time together with library dependency, our model can estimate the probability that a software project faces a CVE disclosure in a future time window. Our approach is white-box and lightweight, which we demonstrate via experiments involving 1255 CVEs and 768 Java libraries, made public as an open-source artifact. Besides probabilities estimation, e.g. to plan software updates, this formal model can be used to detect security-sensitive points in a project, or measure the health of a development ecosystem.

Software Engineering,Cryptography and Security,Emerging Technologies

Hao Guo,Zhenchang Xing,Xiaohong Li

DOI: https://doi.org/10.48550/arXiv.2008.02456

2020-08-06

Abstract:Software vulnerabilities have been continually disclosed and documented. An important practice in documenting vulnerabilities is to describe the key vulnerability aspects, such as vulnerability type, root cause, affected product, impact, attacker type and attack vector, for the effective search and management of fast-growing vulnerabilities. We investigate 120,103 vulnerability reports in the Common Vulnerabilities and Exposures (CVE) over the past 20 years. We find that 56%, 85%, 38% and 28% of CVEs miss vulnerability type, root causes, attack vector and attacker type respectively. To help to complete the missing information of these vulnerability aspects, we propose a neural-network based approach for predicting the missing information of a key aspect of a vulnerability based on the known aspects of the vulnerability. We explore the design space of the neural network models and empirically identify the most effective model design. Using a large-scale vulnerability datas\-et from CVE, we show that we can effectively train a neural-network based classifier with less than 20% of historical CVEs. Our model achieves the prediction accuracy 94%, 79%, 89%and 70% for vulnerability type, root cause, attacker type and attack vector, respectively. Our ablation study reveals the prominent correlations among vulnerability aspects and further confirms the practicality of our approach.

Software Engineering

Jian Jiao,Wenhao Li,Dongchao Guo

DOI: https://doi.org/10.3390/electronics13173350

IF: 2.9

2024-08-25

Electronics

Abstract:Network risk assessment should include the impact of the relationship between vulnerabilities, in order to conduct a more in-depth and comprehensive assessment of vulnerabilities and network-related risks. However, the impact of extracting the relationship between vulnerabilities mainly relies on manual processes, which are subjective and inefficient. To address these issues, this paper proposes a dual-layer knowledge representation model that combines various attributes and structural information of entities. This article first constructs a vulnerability knowledge graph and proposes a two-layer knowledge representation learning model based on it. Secondly, in order to more accurately assess the actual risk of vulnerabilities in specific networks, this paper proposes a vulnerability risk calculation model based on impact relationships, which realizes the risk assessment and ranking of vulnerabilities in specific network scenarios. Finally, based on the research on automatic prediction of the impact relationship between vulnerabilities, this paper proposes a new Bayesian attack graph network risk assessment model for inferring the possibility of device intrusion in the network. The experimental results show that the model proposed in this study outperforms traditional evaluation methods in relationship prediction tasks, demonstrating its efficiency and accuracy in complex network environments. This model achieves efficient resource utilization by simplifying training parameters and reducing the demand for computing resources. In addition, this method can quantitatively evaluate the success probability of attacking specific devices in the network topology, providing risk assessment and defense strategy support for network security managers.

engineering, electrical & electronic,computer science, information systems,physics, applied

Emanuele Iannone,Giulia Sellitto,Emanuele Iaccarino,Filomena Ferrucci,Andrea De Lucia,Fabio Palomba

DOI: https://doi.org/10.1145/3654443

IF: 3.685

2024-03-27

ACM Transactions on Software Engineering and Methodology

Abstract:With the rate of discovered and disclosed vulnerabilities escalating, researchers have been experimenting with machine learning to predict whether a vulnerability will be exploited. Existing solutions leverage information unavailable when a CVE is created, making them unsuitable just after the disclosure. This paper experiments with early exploitability prediction models driven exclusively by the initial CVE record, i.e., the original description and the linked online discussions. Leveraging NVD and Exploit Database, we evaluate 72 prediction models trained using six traditional machine learning classifiers, four feature representation schemas, and three data balancing algorithms. We also experiment with five pre-trained large language models (LLMs). The models leverage seven different corpora made by combining three data sources, i.e., CVE description, Security Focus , and BugTraq . The models are evaluated in a realistic , time-aware fashion by removing the training and test instances that cannot be labeled “neutral” with sufficient confidence. The validation reveals that CVE descriptions and Security Focus discussions are the best data to train on. Pre-trained LLMs do not show the expected performance, requiring further pre-training in the security domain. We distill new research directions, identify possible room for improvement, and envision automated systems assisting security experts in assessing the exploitability.

computer science, software engineering

Xiaoliang Wang,Xiaohong Jiang,Achille Pattavina

DOI: https://doi.org/10.1109/HPSR.2011.5986021

2011-01-01

Abstract:The mission critical network infrastructures are facing potential large region threats, both intentional (like EMP attack, bomb explosion) and natural (like earthquake, flooding). The available research on region failure related vulnerability studies generally adopt a kind of simple “deterministic” region failure models, which can not capture some important features of real region failure scenarios, where a network component in the region only fails with certain probability, and more importantly, such failure probability tends to vary with both its dimension and its distance to failure center. In this paper, we provide a more general “probabilistic” region failure model to capture the key features of a region failure and apply it for the network vulnerability assessment. To facilitate such assessment, we adopt a grid partition-based scheme to estimate various statistical network metrics under a random region failure. A theoretical framework is also established to determine a suitable grid partition such that a specified estimation error requirement is satisfied. The grid partition technique is also useful for identifying the vulnerable zones of a network, which can guide network designers to initiate proper network protection against such failures. The work in this paper helps us more deeply understand the network vulnerability behavior under region failure and facilitates the design and maintenance of future highly survivable mission critical networks.

Yaming Tang,Fei Zhao,Yibiao Yang,Hongmin Lu,Yuming Zhou,Baowen Xu

DOI: https://doi.org/10.1109/QRS.2015.15

2015-01-01

Abstract:In order to identify vulnerable software components, developers can take software metrics as predictors or use text mining techniques to build vulnerability prediction models. A recent study reported that text mining based models have higher recall than software metrics based models. However, this conclusion was drawn without considering the sizes of individual components which affects the code inspection effort to determine whether a component is vulnerable. In this paper, we investigate the predictive power of these two kinds of prediction models in the context of effort-aware vulnerability prediction. To this end, we use the same data sets, containing 223 vulnerabilities found in three web applications, to build vulnerability prediction models. The experimental results show that: (1) in the context of effort-aware ranking scenario, text mining based models only slightly outperform software metrics based models, (2) in the context of effort-aware classification scenario, text mining based models perform similarly to software metrics based models in most cases, and (3) most of the effect sizes (i.e. the magnitude of the differences) between these two kinds of models are trivial. These results suggest that, from the viewpoint of practical application, software metrics based models are comparable to text mining based models. Therefore, for developers, software metrics based models are practical choices for vulnerability prediction, as the cost to build and apply these models is much lower.

Subil Abraham,Suku Nair

DOI: https://doi.org/10.48550/arXiv.1501.01901

2015-01-08

Cryptography and Security

Abstract:Numerous security metrics have been proposed in the past for protecting computer networks. However we still lack effective techniques to accurately measure the predictive security risk of an enterprise taking into account the dynamic attributes associated with vulnerabilities that can change over time. In this paper we present a stochastic security framework for obtaining quantitative measures of security using attack graphs. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. Gaining a better understanding of the relationship between vulnerabilities and their lifecycle events can provide security practitioners a better understanding of their state of security. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.

Napier, Kollin,Wang, Shaowei

DOI: https://doi.org/10.1007/s10664-022-10276-6

IF: 3.762

2023-02-04

Empirical Software Engineering

Abstract:With an increase in complexity and severity, it is becoming harder to identify and mitigate vulnerabilities. Although traditional tools remain useful, machine learning models are being adopted to expand efforts. To help explore methods of vulnerability detection, we present an empirical study on the effectiveness of text-based machine learning models by utilizing 344 open-source projects, 2,182 vulnerabilities and 38 vulnerability types. With the availability of vulnerabilities being presented in forms such as code snippets, we construct a methodology based on extracted source code functions and create equal pairings. We conduct experiments using seven machine learning models, five natural language processing techniques and three data processing methods. First, we present results based on full context function pairings. Next, we introduce condensed functions and conduct a statistical analysis to determine if there is a significant difference between the models, techniques, or methods. Based on these results, we answer research questions regarding model prediction for testing within and across projects and vulnerability types. Our results show that condensed functions with fewer features may achieve greater prediction results when testing within rather than across. Overall, we conclude that text-based machine learning models are not effective in detecting vulnerabilities within or across projects and vulnerability types.

computer science, software engineering

Chao Ni,Liyu Shen,Xiaodan Xu,Xin Yin,Shaohua Wang

2024-08-14

Abstract:Though many deep learning-based models have made great progress in vulnerability detection, we have no good understanding of these models, which limits the further advancement of model capability, understanding of the mechanism of model detection, and efficiency and safety of practical application of models. In this paper, we extensively and comprehensively investigate two types of state-of-the-art learning-based approaches (sequence-based and graph-based) by conducting experiments on a recently built large-scale dataset. We investigate seven research questions from five dimensions, namely model capabilities, model interpretation, model stability, ease of use of model, and model economy. We experimentally demonstrate the priority of sequence-based models and the limited abilities of both LLM (ChatGPT) and graph-based models. We explore the types of vulnerability that learning-based models skilled in and reveal the instability of the models though the input is subtlely semantical-equivalently changed. We empirically explain what the models have learned. We summarize the pre-processing as well as requirements for easily using the models. Finally, we initially induce the vital information for economically and safely practical usage of these models.

Software Engineering,Cryptography and Security,Machine Learning