Xi Yang,Gul Jabeen,Ping Luo,Xiao-Ling Zhu,Mei-Hua Liu

DOI: https://doi.org/10.1007/s11390-018-1843-2

2018-01-01

Abstract:As trust becomes increasingly important in software domain, software trustworthiness - as a complex high-composite concept, has developed into a big challenge people have to face, especially in the current open, dynamic and ever-changing Internet environment. Furthermore, how to recognize and define trust problem from its nature and how to measure software trustworthiness correctly and effectively play a key role in improving users' trust in choosing software. Based on trust theory in the field of humanities and sociology, this paper proposes a measurable S2S (Social-to-Software) software trustworthiness framework, introduces a generalized indicator loss to unify three parts of trustworthiness result, and presents a whole metric solution for software trustworthiness, including the advanced J-M model based on power function and time-loss rate for ability trustworthiness measurement, the fuzzy comprehensive evaluation advanced-model considering effect of multiple short boards for basic standard trustworthiness, and the identity trustworthiness measurement method based on the code homology detecting tools. Finally, it provides a case study to verify that the solution is applicable and effective.

Wen Li,Lingdi Ping,Kuijun Lu,Xiaoping Chen

DOI: https://doi.org/10.1109/ICIE.2009.33

2009-01-01

Abstract:As traditional network security cannot meet the security requirements, the international research shows that network security is on the way to Trustworthy Internet and that the trustworthy issue becomes a hot topic in the future Internet. Trust evaluation of users' behavior is an important part of Trustworthy Internet and a rational trust model plays a key role in the evaluation. This paper concludes many principles of the trust model by analyzing existing trust models and proposes a novel trust model including both the direct and indirect trust. In our model, the direct trust is more trustworthy and is weighted more with the more and more interactions and the indirect evaluation becomes less and less important. The subjective factor is considered to make the direct trust obey the principle of "rise-lowly, decline-quickly". Furthermore, recommenders' credibility is taken into account in the indirect trust evaluation, which can avoid the denigration and make indirect trust more objective. We also consider the process of referral of the credibility to gain more information to evaluate the indirect trust effectively. Credibility evaluation is the basis of the filtering of low credibility and the improvement of trust evaluation. Finally, several experiments are shown to illustrate the properties of the model. © 2009 IEEE.

Gul Jabeen,Xi Yang,Ping Luo

DOI: https://doi.org/10.1504/ijics.2021.116302

2021-01-01

Abstract:Software vulnerabilities primarily constitute security risks. Commonalities between faults and vulnerabilities prompt developers to utilise traditional fault prediction models and metrics for vulnerability prediction. Although traditional models can predict the number of vulnerabilities and their occurrence time, they fail to accurately determine the seriousness of vulnerabilities, impacts, and severity level. To address these deficits, we propose a method for predicting software vulnerabilities based on a Markov chain model, which offers a more comprehensive descriptive model with the potential to accurately predict vulnerability type, i.e., the seriousness of the vulnerabilities. The experiments are performed using real vulnerability data of three types of popular software: Windows 10, Adobe Flash Player and Firefox. Our model is shown to produce accurate predictive results.

Lewen Zhang,Yong Zhou,Yixiang Chen,Min Zhang,Juyang Zhang

DOI: https://doi.org/10.1109/SERE-C.2013.23

2013-01-01

Abstract:The software trustworthiness is an important feature for the safety and security of cyber-physical system. Therefore, how to assess software trustworthiness is the key issue. Tao has recently given five measurement models of software trustworthiness based on the attributes of software in his Doctoral Dissertation and his publications. After simulating these models with the Monte Carlo method, we find out that these models have a common shortcoming that the trustworthy degree would not be within the same range as the range in which all attributes' values are. In order to solve this problem, this paper introduces the stability rule with which measurement model of software trustworthiness is proposed. According to these rules, this paper proposes two models which are originally based on Tao's models. The succeeding mathematical proof and simulation demonstrate that these models meet all the rules. These two models have been applied to compute the degree of software trustworthiness in the software trustworthy measurement and evaluation tool.

Xi Yang,Ping Luo,Gul Jabeen

DOI: https://doi.org/10.1088/1755-1315/234/1/012073

2019-01-01

IOP Conference Series Earth and Environmental Science

Abstract:With the rapid development of Internet, software trustworthiness has been increasingly important. How to measure this property has become a real challenge. Based on Sociology Trust system, this paper presents a framework which could be measurable, called as SocialToTech Software Trust Framework (SSTF). The SSTF includes three parts of software trustworthiness and this paper proposes a whole metric solution through a generalized indicator Cost-Loss.

Subil Abraham,Suku Nair

DOI: https://doi.org/10.48550/arXiv.1501.01901

2015-01-08

Cryptography and Security

Abstract:Numerous security metrics have been proposed in the past for protecting computer networks. However we still lack effective techniques to accurately measure the predictive security risk of an enterprise taking into account the dynamic attributes associated with vulnerabilities that can change over time. In this paper we present a stochastic security framework for obtaining quantitative measures of security using attack graphs. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. Gaining a better understanding of the relationship between vulnerabilities and their lifecycle events can provide security practitioners a better understanding of their state of security. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.

Yun Zhang,David Lo,Xin Xia,Bowen Xu,Jianling Sun,Shanping Li

DOI: https://doi.org/10.1109/ICECCS.2015.15

2015-01-01

Abstract:In recent years, to help developers reduce time and effort required to build highly secure software, a number of prediction models which are built on different kinds of features have been proposed to identify vulnerable source code files. In this paper, we propose a novel approach VULPREDICTOR to predict vulnerable files, it analyzes software metrics and text mining together to build a composite prediction model. VULPREDICTOR first builds 6 underlying classifiers on a training set of vulnerable and non-vulnerable files represented by their software metrics and text features, and then constructs a meta classifier to process the outputs of the 6 underlying classifiers. We evaluate our solution on datasets from three web applications including Drupal, PHPMyAdmin and Moodle which contain a total of 3,466 files and 223 vulnerabilities. The experiment results show that VULPREDICTOR can achieve F1 and EffectivenessRatio@20% scores of up to 0.683 and 75%, respectively. On average across the 3 projects, VULPREDICTOR improves the F1 and EffectivenessRatio@20% scores of the best performing state-of-the-art approaches proposed by Walden et al. by 46.53% and 14.93%, respectively.

Yafang Huang,Yanzhao Liu,Ping Luo

DOI: https://doi.org/10.1109/PAAP.2012.43

2012-01-01

Abstract:Failures that exist in software cause tremendous damage and bring large amount of loss. Thus the research of software trustworthiness has been attracted much attention from all over the world. By considering the impact of failure loss, the traditional definition of software reliability is redefined in this paper and improved to software strong reliability. Based on this new definition and traditional J-M model, a new model called SSRGM is proposed along with its mathematical relationship and implementation based on Markov Chain. Besides, through experiment and analysis, the conclusion that this model is correct and effective is drawn.

Umamaheswara Sharma B,Ravichandra Sadam

DOI: https://doi.org/10.48550/arXiv.2210.04665

2022-10-10

Abstract:In a critical software system, the testers have to spend an enormous amount of time and effort to maintain the software due to the continuous occurrence of defects. Among such defects, some severe defects may adversely affect the software. To reduce the time and effort of a tester, many machine learning models have been proposed in the literature, which use the documented defect reports to automatically predict the severity of the defective software modules. In contrast to the traditional approaches, in this work we propose a metric-based software defect severity prediction (SDSP) model that uses a self-training semi-supervised learning approach to classify the severity of the defective software modules. The approach is constructed on a mixture of unlabelled and labelled defect severity data. The self-training works on the basis of a decision tree classifier to assign the pseudo-class labels to the unlabelled instances. The predictions are promising since the self-training successfully assigns the suitable class labels to the unlabelled instances. On the other hand, numerous research studies have covered proposing prediction approaches as well as the methodological aspects of defect severity prediction models, the gap in estimating project attributes from the prediction model remains unresolved. To bridge the gap, we propose five project specific measures such as the Risk-Factor (RF), the Percent of Saved Budget (PSB), the Loss in the Saved Budget (LSB), the Remaining Service Time (RST) and Gratuitous Service Time (GST) to capture project outcomes from the predictions. Similar to the traditional measures, these measures are also calculated from the observed confusion matrix. These measures are used to analyse the impact that the prediction model has on the software project.

Software Engineering

Feng Xu,Jing Pan,Wen Lu

DOI: https://doi.org/10.1007/s11390-009-9231-6

2009-01-01

Abstract:Emerging with open environments, the software paradigms, such as open resource coalition and Internetware, present several novel characteristics including user-centric, non-central control, and continual evolution. The goal of obtaining high confidence on such systems is more difficult to achieve. The general developer-oriented metrics and testing-based methods which are adopted in the traditional measurement for high confidence software seem to be infeasible in the new situation. Firstly, the software development is changed from the developer-centric to user-centric, while user's opinions are usually subjective, and cannot be generalized in one objective metric. Secondly, there is non-central control to guarantee the testing on components which formed the software system, and continual evolution makes it impossible to test on the whole software system. Therefore, this paper proposes a trust-based approach that consists of three sequential sub-stages: 1) describing metrics for confidence estimation from users; 2) estimating the confidence of the components based on the quantitative information from the trusted recommenders; 3) estimating the confidence of the whole software system based on the component confidences and their interactions, as well as attempts to make a step toward a reasonable and effective method for confidence estimation of the software system in open environments.

Xiaohu Li,Timothy Paul Parker,Shouhuai Xu

DOI: https://doi.org/10.1109/tdsc.2008.75

2011-01-01

Abstract:Traditional security analyses are often geared toward cryptographic primitives or protocols. Although such analyses are necessary, they cannot address a defender's need for insight into which aspects of a networked system having a significant impact on its security, and how to tune its configurations or parameters so as to improve security. This question is known to be notoriously difficult to answer, and the state of the art is that we know little about it. Toward ultimately addressing this question, this paper presents a stochastic model for quantifying security of networked systems. The resulting model captures two aspects of a networked system:1) the strength of deployed security mechanisms such as intrusion detection systems and 2) the underlying vulnerability graph, which reflects how attacks may proceed. The resulting model brings the following insights: 1) How should a defender “tune” system configurations (e.g., network topology) so as to improve security? 2) How should a defender “tune” system parameters (e.g., by upgrading which security mechanisms) so as to improve security? 3) Under what conditions is the steady-state number of compromised entities of interest below a given threshold with a high probability? Simulation studies are conducted to confirm the analytic results, and to show the tightness of the bounds of certain important metric that cannot be resolved analytically.

SHEN Guo-Hua,HUANG Zhi-Qiu,XIE Bing,ZHU Yi-Quan,LIAO Li-Li,WANG Fei,LIU Yin-Ling

DOI: https://doi.org/10.13328/j.cnki.jos.005024

2016-01-01

Abstract:The failure of safety-critical software could result in death, injury and damage to people or loss of equipment or property. Therefore, it is important to evaluate whether software trustworthiness fulfills the user needs (i.e., trustworthiness evaluation). This paper first compares the definition of software trustworthiness and its evaluation. Then, it surveys the software trustworthiness evaluation from three different aspects: Standards, models, and CASE tools. This work studies these aspects from the view of domain-independent as well as domain-dependent. In summary, there is great progress being made for software trustworthiness evaluation theoretically and practically while its universality and scalability are still need to be improved.

Liang Chen,Ping Cheng,Wei Liu

DOI: https://doi.org/10.1109/icnc.2010.5583290

2010-01-01

Abstract:With the wide application of trustworthy software, the trustworthiness and trustworthiness level have become the important issues concerned by users and software manufacturers. After analyzing the connotation of software trustworthiness and extending the trustworthy attribute model from the perspective of trustworthiness measurement, this paper builds a trustworthiness evaluation model for software product with four-layer structure, and analyzes the key parameters in model and the trustworthiness level of software product. Based on the evaluation model, the paper proposes an evaluation process model of trustworthiness for software product, which can automatically realize the trustworthiness level evaluation for software product, and describes the detailed evaluation flow. The paper takes the trustworthiness level evaluation of monitoring software product of aircraft engine for example to explain the application of the model and method.

Georgios Spanos,Lefteris Angelis

DOI: https://doi.org/10.1016/j.jss.2018.09.039

IF: 3.5

2018-12-01

Journal of Systems and Software

Abstract:Software vulnerabilities constitute a great risk for the IT community. The specification of the vulnerability characteristics is a crucial procedure, since the characteristics are used as input for a plethora of vulnerability scoring systems. Currently, the determination of the specific characteristics -that represent each vulnerability- is a process that is performed manually by the IT security experts. However, the vulnerability description can be very informative and useful to predict vulnerability characteristics. The primary goal of this research is the enhancement, the acceleration and the support of the manual procedure of the vulnerability characteristic assignment. To achieve this goal, a model, which combines texts analysis and multi-target classification techniques was developed. This model estimates the vulnerability characteristics and subsequently, calculates the vulnerability severity scores from the predicted characteristics. To perform the present research, a dataset that contains 99,091 records from a large -publicly available- vulnerability database was used. The results are encouraging, since they show accuracy in the prediction of the vulnerability characteristics and scores.

computer science, theory & methods, software engineering

ZhiMing Zheng,ShiLong Ma,Wei Li,Xin Jiang,Wei,LiLi Ma,ShaoTing Tang

DOI: https://doi.org/10.1007/s11432-009-0143-4

2009-01-01

Science in China Series F Information Sciences

Abstract:Developing trusted softwares has become an important trend and a natural choice in the development of software technology and applications. At present, the method of measurement and assessment of software trustworthiness cannot guarantee safe and reliable operations of software systems completely and effectively. Based on the dynamical system study, this paper interprets the characteristics of behaviors of software systems and the basic scientific problems of software trustworthiness complexity, analyzes the characteristics of complexity of software trustworthiness, and proposes to study the software trustworthiness measurement in terms of the complexity of software trustworthiness. Using the dynamical statistical analysis methods, the paper advances an invariant-measure based assessment method of software trustworthiness by statistical indices, and hereby provides a dynamical criterion for the untrustworthiness of software systems. By an example, the feasibility of the proposed dynamical statistical analysis method in software trustworthiness measurement is demonstrated using numerical simulations and theoretical analysis.

Sarah Ali Siddiqui,Chandra Thapa,Rayne Holland,Wei Shao,Seyit Camtepe

2024-08-06

Abstract:Considering the ever-evolving threat landscape and rapid changes in software development, we propose a risk assessment framework SRiQT (Software Risk Quantification through Trust). This framework is based on the necessity of a dynamic, data-driven, and adaptable process to quantify risk in the software supply chain. Usually, when formulating such frameworks, static pre-defined weights are assigned to reflect the impact of each contributing parameter while aggregating these individual parameters to compute resulting risk scores. This leads to inflexibility, a lack of adaptability, and reduced accuracy, making them unsuitable for the changing nature of the digital world. We adopt a novel perspective by examining risk through the lens of trust and incorporating the human aspect. Moreover, we quantify risk associated with individual software by assessing and formulating risk elements quantitatively and exploring dynamic data-driven weight assignment. This enhances the sensitivity of the framework to cater to the evolving risk factors associated with software development and the different actors involved in the entire process. The devised framework is tested through a dataset containing 9000 samples, comprehensive scenarios, assessments, and expert opinions. Furthermore, a comparison between scores computed by the OpenSSF scorecard, OWASP risk calculator, and the proposed SRiQT framework has also been presented. The results suggest that SRiQT mitigates subjectivity and yields dynamic data-driven weights as well as risk scores.

Software Engineering

SHEN Guohua,HUANG Zhiqiu,QIAN Ju,XU Yongjun,HAO Jin,ZHAO Wenyun,PENG Xin

DOI: https://doi.org/10.3778/j.issn.1673-9418.2011.06.008

2011-01-01

Abstract:Software trustworthiness evaluation is an important aspect of software quality assurance.There are some weaknesses in the current research,such as facing special software modality,fixed trustworthiness attribute,lack of software trustworthiness evaluation tools.This paper presents a general model of software trustworthiness evalua-tion,discusses its implementation process systematically,develops a trustworthiness evaluation management system based on this model,and verifies the feasibility of the model by analyzing a detailed case in a real taxation domain.This approach will be beneficial to trustworthiness evaluation practices by using the evaluation system.

Li Meng,Zhou Xianzhong,Wang Jiacun,Zhao Jiabao,Zhu Yingying

DOI: https://doi.org/10.1109/icnsc.2009.4919395

2009-01-01

Abstract:Software trustworthiness is one of most important measurements of software quality. Much effort has been spent in searching for methods of improving software trustworthiness. However, nowadays the concept and attributes of trustworthiness are still studied insufficiently; the researches in software trustworthiness have focused on satisfying the expectations of end users while ignored the importance of intermediate stages of software life cycle. This paper first reviews the history of trustworthiness and then explains briefly the differences between dependability and trustworthiness. We analyze the characteristics of software trustworthiness through software development life cycle, and define the software trustworthiness and software stage trustworthiness. We introduce the concept of distrustable factors to reveal why software defects could be there. We propose a formal software trustworthiness model to analyze further how distrustable factors impact the deliverables. Then, we use an example of common defects to show the identification of distrustable factors.

Yan Wang,Zenan Wu

DOI: https://doi.org/10.1109/access.2024.3426535

IF: 3.9

2024-07-19

IEEE Access

Abstract:With the rapid popularization of cloud computing, the increase in cloud traffic and resources has come with increased uncertainty. Therefore, the consideration of uncertainty and dynamics is becoming more important for the effective management of cloud resources. This article aims to establish a more accurate and reliable service evaluation model suited for a dynamic and changeable network environment, which provides users with more precise service selections and recommendations. Cloud service (CS) trust evaluation is conducted from subjective and objective perspectives in this paper. First, a set of objective criteria evaluation cloud is generated based on multivalued monitoring data, which can more accurately reflect the dynamic performance of CSs. Second, similar recommenders are identified based on the similarity of the objective criteria evaluation cloud of the current user and recommenders. Then an objective assessment is employed as a benchmark to remove malicious or potentially biased subjective recommendations by comparisons with corresponding subjective assessment characteristics. Finally, the objective trust evaluation cloud is converted into a trust degree expressed by the probabilistic linguistic term set (PLTS) method. Additionally, the subjective trust degree and trust preference defined by the trustor are combined to evaluate the trustworthiness of the CSs. Using the PLTS method to scale the trust of each criterion of CSs can systematically describe the dynamic performance of CSs, and consider the uncertainty and vagueness of trust. The experimental results demonstrate its effectiveness, feasibility and better accuracy compared with other methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

ZHAN Ji-zhou,ZHOU Xian-zhong,ZHAO Jia-bao,WANG Jian-feng

DOI: https://doi.org/10.16381/j.cnki.issn1003-207x.2010.06.001

2010-01-01

Abstract:Software defect is the key measure of software reliability,and predicting defect is also one of the core topics of software quality evaluation.Based on analysis of mechanism of software defect growth,the states of defect are divided into hidden,be detected and repaired.Considering the combined effect of distrustable factors and constrained factors,the differential equation model for defect states transferring is proposed in this paper.The stability of equilibrium point and boundary condition of distrustable factors are also analyzed.Meanwhile,a real project of NASA is analyzed,the hidden defects are estimated by the record of detected and repaired defect,and the results are exemplified the rationality of the model.