Predicting attack-prone components

Proceedings - 2nd International Conference on Software Testing, Verification, and Validation, ICST 2009

Volumn , Issue , 2009, Pages 181-190

  Gegick, Michael ^a   Rotella, Pete ^a   Williams, Laurie ^a  

^a NORTH CAROLINA STATE UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

DATA SETS; END USERS; FALSE POSITIVE RATES; GOODNESS OF FIT; INPUT VARIABLES; MANUAL INSPECTION; PREDICTING ATTACKS; PREDICTIVE MODELS; RECEIVER OPERATING CHARACTERISTIC CURVES; SECURITY RISKS; SOFTWARE COMPONENT; SOFTWARE ENGINEERS; SOFTWARE LIFE CYCLES; SOFTWARE SYSTEMS; SYSTEM COMPONENTS;

MILITARY ENGINEERING; RISK ANALYSIS; RISK MANAGEMENT; SECURITY OF DATA; SOFTWARE TESTING; VERIFICATION;

COMPUTER SOFTWARE SELECTION AND EVALUATION;

EID: 67650114105     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICST.2009.36     Document Type: Conference Paper

References (33)

1. O. H. Alhazmi, Y. K. Malaiya, and I. Ray, "Measuring, analyzing and predicting vulnerabilities in software systems," Computers & Security, vol. 26, no. 3, pp. 219-228, May 2006.
2. B. Boehm, Software Engineering Economics, New Jersey, Prentice-Hall, 1981.
3. B. Boehm and V. Basili, "Software Defect Reduction Top 10 List," IEEE Computer, vol. 34, no. 1, pp. 135-137, January, 2001.
4. P. Chandra, B. Chess, and J. Steven, "Putting the Tools to Work: How to Succeed with Source Code Analysis," IEEE Security & Privacy, vol. 4, no. 3, pp. 80-83, May/June, 2006. (Pubitemid 44144084)
5. B. Chess and J. West, Secure Programming with Static Analysis, Boston, MA, Addison Wesley, 2007.
6. J. L. Devore, Probability and Statistics for Engineering and the Sciences, Belmont, CA, Thomson, 2008.
7. E. Dijkstra, Structured Programming, Brussels, Belgium, 1970.
8. R. Freund, R. Littell, and L. Creighton, Regression Using JMP, Cary, NC, SAS Institute, Inc., 2003.
9. M. Gegick, "Failure-prone Components are also Attackprone Components," OOPSLA - ACM student research competition, Nashville, Tennessee, pp. 917-918, October 2008.
10. M. Gegick and L. Williams, "STUDENT PAPER: Ranking Attack-prone Components with a Predictive Model," ISSRE, Redmond, WA, pp. 315-316, November 2008.
11. M. Gegick, L. Williams, J. Osborne, and M. Vouk, "Prioritizing Software Security Fortification through Code-Level Security Metrics," Workshop on Quality of Protection, Alexandria, VA, pp. 31-37, October 2008.
12. M. Gegick, L. Williams, and M. Vouk, "Predictive Models for Identifying Software Components Prone to Failure During Security Attacks," Build Security In (https://buildsecurityin.us-cert.gov/daisy/bsi/home.html) 2008.
13. M. Gegick, P. Rotella, and L. Williams, "Toward Nonsecurity Failures as a Predictor of Security Faults and Failures," ESSoS, Leuven, Belgium, February 4-6 2009.
14. M. Gegick, P. Rotella, and L. Williams, "Predicting Attack-prone Components," NCSU, Raleigh, TR-2009-1, 26 January 2009.
15. T. Hastie, R. Tibshirani, and J. H. Friedman, The Elements of Statistical Learning, New York, Springer, 2001.
16. ISO, "ISO/IEC DIS 14598-1 Information Technology - Software Product Evaluation - Part 1: General Overview," October 28 1996.
17. ISO/IEC 24765, "Software and Systems Engineering Vocabulary," 2006.
18. Y. Jiang, B. Cukic, and T. Menzies, "Cost Curve Evaluation of Fault Prediction Models," ISSRE, Redmond, WA, 11-14 November 2008.
19. T. M. Khoshgoftaar, E. B. Allen, and J. Deng, "Using Regression Trees to Classify Fault-Prone Software Modules," IEEE Transactions on Reliability, vol. 51, no. 4, pp. 455-562, December 2002.
20. R. Littell, W. Stroup, and R. Freund, SAS for Linear Models, Fourth Edition, Cary, NC., SAS Institute, Inc., 2002.
21. G. McGraw, Software Security: Building Security In, Boston, Addison-Wesley, 2006.
22. MITRE, "Common Weakness Enumeration," http://cwe.mitre.org/, 2006.
23. H. Motulsky, Intuitive Biostatistics, New York, Oxford University Press, 1995.
24. N. Nagappan and T. Ball, "Static Analysis Tools as Early Indicators of Pre-release Defect Density," ICSE, St. Louis, MO, pp. 580-586, 2005.
25. N. Nagappan and T. Ball, "Use of Relative Code Churn Measures to Predict Defect Density," ICSE, St. Louis, MO, pp. 284-292, 15-21 May 2005.
26. S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, "Predicting Vulnerable Software Components," CCS, Alexandria, VA, pp. 529-540, 29 October-2 November 2007.
27. T. J. Ostrand, E. J. Weyuker, and R. M. Bell, "Where the bugs are," ISSTA, Boston, Massachusetts, pp. 86-96, 2004. (Pubitemid 41121380)
28. A. Ozment and S. Schechter, "Milk or wine: does software security improve with age?," 15th Conference on USENIX Security Symposium, pp. 93-104, July 2006.
29. SAS Institute Inc., "The Partition Platform," SAS Institute, Inc., Cary, NC, 2003.
30. M. Vouk and K. C. Tai, "Some Issues in Multi-Phase Software Reliability Modeling," CASCON, Toronto, pp. 512-523, October 1993.
31. I. Witten and E. Frank, Data Mining, Second ed. San Francisco, Elsevier, 2005.
32. M. Young and R. N. Taylor, "Rethinking the Taxonomy of Fault Detection Techniques," ICSE, pp. 53-62, 1989.
33. J. Zheng, L. Williams, W. Snipes, N. Nagappan, J. Hudepohl, and M. Vouk, "On the Value of Static Analysis Tools for Fault Detection," IEEE Transactions on Software Engineering, vol. 32, no. 4, pp. 240-253, April 2006.