Toward Non-security failures as a predictor of security faults and failures

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5429 LNCS, Issue , 2009, Pages 135-149

  Gegick, Michael ^a   Rotella, Pete ^b   Williams, Laurie ^a  

^a North Carolina State University   (United States)

^b CISCO SYSTEMS   (United States)

Author keywords

Attack prone; Classification and regression tree

Indexed keywords

ATTACK-PRONE; CLASSIFICATION AND REGRESSION TREE; CLASSIFICATION AND REGRESSION TREE MODELS; COMPONENT RANKING; FALSE POSITIVE RATES; INPUT VARIABLES; PREDICTION MODEL; SECURITY FAILURE; SOFTWARE LIFE CYCLES; SOFTWARE SYSTEMS; SYSTEM COMPONENTS;

COMPUTER SOFTWARE; MATHEMATICAL MODELS; PROBABILITY; REGRESSION ANALYSIS; SAFETY ENGINEERING;

SECURITY OF DATA;

EID: 70350630478     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-00199-4_12     Document Type: Conference Paper

References (30)

1. Alhazmi, O.H., Malaiya, Y.K., Ray, I.: Measuring, analyzing and predicting vulnerabilities in software systems. Computers & Security 26(3), 219-228 (2006)
2. Boehm, B., Basili, V.: Software Defect Reduction Top 10 List. IEEE Computer 34(1), 135-137 (2001)
3. Codon, E., Cukier, M., He, T.: Applying Software Reliability Models on Security Incidents. In: International Symposium on Software Reliability Engineering, Trollhattan, Sweden (2007)
4. Denaro, G.: Estimating software fault-proneness for tuning testing activities. In: International Conference on Software Engineering, St. Malo, France, pp. 269-280 (2000) [5] Dijkstra, E.: Structured Programming, Brussels, Belgium (1970)
5. Endres, A., Rombach, R.D.: A Handbook of Software and Systems Engineering, Harlow, England. Pearson Education, Limited, London (2003)
6. Freund, R., Littell, R., Creighton, L.: Regression Using JMP, Cary, NC. SAS Institute, Inc. (2003)
7. Gegick, M., Williams, L.: Toward the Use of Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components. In: First International Workshop on Systems Vulnerabilities (SYVUL 2007), Santa Clara, CA, July 1-6 (2007)
8. Gegick, M.: Failure-prone Components are also Attack-prone Components. In: OOPSLA - ACM student research competition, Nashville, Tennessee, October 2008, pp. 917-918 (2008)
9. Gegick, M., Williams, L.: STUDENT PAPER: Ranking Attack-prone Components with a Predictive Model. In: International Symposium on Software Reliability Engineering, Redmond, WA, November 2008, pp. 315-316 (2008)
10. Gegick, M., Williams, L., Osborne, J., Vouk, M.: Prioritizing Software Security Fortification through Code-Level Security Metrics. In: Workshop on Quality of Protection, Alexandria, VA, pp. 31-37 (2008)
11. Gegick, M., Williams, L., Vouk, M.: Predictive Models for Identifying Software Components Prone to Failure During Security Attacks (2008) Build Securit In, https://buildsecurityin.us-cert.gov/daisy/bsi/home.html
12. Hastie, T., Tibshirani, R., Friedman, J.H.: The Elements of Statistical Learning. Springer, New York (2001)
13. ISO, ISO/IEC DIS 14598-1 Information Technology - Software Product Evaluation - Part 1: General Overview (October 28, 1996)
14. ISO/IEC 24765 Software and Systems Engineering Vocabulary (2006)
15. Khoshgoftaar, T.M., Allen, E.B., Naik, A., Jones, W., Hudepohl, J.P.: Using Classification Trees for Software Quality Models: Lessons Learned. International Journal on Software Engineering and Knowledge Engineering 9(2), 212-231 (1999)
16. Krsul, I.: Software Vulnerability Analysis, PhD Thesis in Computer Science at Purdue University, West Lafayette (1998)
17. Mullen, R., Gokhale, S.: A Discrete Lognormal Model for Software Defects Affecting QoP. Quality of Protection, Milan, Italy, September 15 (2005)
18. Musa, J.D.: Software reliability engineering: More reliable software faster and cheaper, 2nd edn., Bloomington, Indiana, AuthorHouse (2004)
19. Nagappan, N., Ball, T.: Use of Relative Code Churn Measures to Predict Defect Density. In: International Conference on Software Engineering, St. Louis, MO, May 15-21, 2005, pp. 284-292 (2005)
20. Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting Vulnerable Software Components. In: Computer and Communications Security, Alexandria, VA, 29 October-2 November 2007, pp. 529-540 (2007)
21. Ostrand, T.J., Weyuker, E.J., Bell, R.M.: Where the bugs are. In: International Symposium on Software Testing and Analysis, Boston, Massachusetts, pp. 86-96 (2004)
22. Ozment, A., Schechter, S.: Milk or wine: does software security improve with age? In: 15th Conference on USENIX Security Symposium, July 2006, pp. 93-104 (2006)
23. Saltzer, J., Schroeder, M.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278-1308 (1975)
24. Institute Inc, S.A.S.: The Partition Platform. SAS Institute, Inc., Cary (2003)
25. Schroter, A., Zimmermann, T., Zeller, A.: Predicting Component Failures at Design Time. In: International Symposium on Empirical Software Engineering, Rio de Janeiro, Brazil, September 21-22, 2006, pp. 18-27 (2006)
26. Shin, Y., Williams, L.: Is Complexity Really the Enemy of Software Security? In: Workshop on Quality of Protection, Alexandria, VA, pp. 47-50 (2008)
27. Viega, J., McGraw, G.: Building Secure Software How to Avoid Security Problems the Right Way. Addison-Wesley, Boston (2002)
28. Vouk, M., Tai, K.C.: Some Issues in Multi-Phase Software Reliability Modeling. In: Center for Advanced Studies Conference (CASCON), Toronto, October 1993, pp. 512-523 (1993)
29. Witten, I., Frank, E.: Data Mining, 4th edn. San Francisco. Elsevier, Amsterdam (2005)
30. Zheng, J., Williams, L., Snipes, W., Nagappan, N., Hudepohl, J., Vouk, M.: On the Value of Static Analysis Tools for Fault Detection. IEEE Transactions on Software Engineering 32(4), 240-253 (2006)