Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities

Journal of Systems Architecture

Volumn 57, Issue 3, 2011, Pages 294-313

  Chowdhury, Istehad ^a   Zulkernine, Mohammad ^a  

^a QUEEN S UNIVERSITY   (Canada)

Author keywords

Cohesion; Complexity; Coupling; Software metrics; Vulnerability prediction

Indexed keywords

COHESION; COHESION METRICS; COMPLEXITY; DESIGN DECISIONS; EMPIRICAL STUDIES; FALSE POSITIVE RATES; FIREFOX; LOGISTIC REGRESSIONS; MOZILLA; OPERATIONAL STAGES; PREDICTION ACCURACY; PREDICTION PERFORMANCE; RANDOM FORESTS; SECURITY FAILURE; SOFTWARE DEVELOPMENT LIFE CYCLE; SOFTWARE FAULT; SOFTWARE METRICS; SOFTWARE SECURITY; SOFTWARE SYSTEMS; STATISTICAL TECHNIQUES; STRUCTURAL INFORMATION; STRUCTURAL METRICS; VULNERABILITY PREDICTION;

ADHESION; COMPUTER SOFTWARE SELECTION AND EVALUATION; DECISION TREES; FORECASTING; SOFTWARE ARCHITECTURE; SOFTWARE DESIGN; WEB BROWSERS;

SECURITY OF DATA;

EID: 79952574726     PISSN: 13837621     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.sysarc.2010.06.003     Document Type: Article

References (71)

1. M. Bishop, Computer Security: Art and Science, Addison-Wesley, Boston, MA, 2003.
2. J. Grossman, Website Vulnerabilities Revealed: What everyone knew, but afraid to believe, White Hat Security Inc., (accessed July 2009).
3. Computer Emergency Response Team Coordination Center (CERT/CC), (accessed July 2009).
4. Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt, Pearson Education Inc. Upper Saddle River, NJ, 2007.
5. E. Damiani, C.A. Ardagna, N.E. Ioini, Open Source Systems Security Certification, Springer, 2009.
6. G. Koru, and J. Tian An empirical comparison and characterization of high defect and high complexity modules Journal of Systems and Software 67 2003 153 163
7. M. Cartwright, and M. Shepperd An empirical investigation of an object-oriented software system IEEE Transactions on Software Engineering 26 8 2000 786 796
8. Janes, M. Scotto, W. Pedrycz, B. Russo, M. Stefanovic, and G. Succi Identification of defect-prone classes in telecommunication software systems using design metrics Journal of Systems and Software 176 2006 3711 3734 (Pubitemid 44419569)
9. G. Succi, W. Pedrycz, M. Stefanovic, and J. Miller Practical assessment of the models for identification of defect-prone classes in object-oriented commercial systems using design metrics Journal of Systems and Software 65 2003 1 12
10. K. El Emam, W. Melo, and J.C. Machado The prediction of faulty classes using object-oriented design metrics Journal of Systems and Software 56 2001 63 75 (Pubitemid 33649526)
11. V. Basili, L. Briand, and W. Melo A validation of object-oriented design metrics as quality indicators IEEE Transactions on Software Engineering 22 1996 751 761 (Pubitemid 126771690)
12. K.O. Elish, and M.O. Elish Predicting defect-prone software modules using support vector machines Journal of Systems and Software 81 2008 649 660 (Pubitemid 351389562)
13. N. Nagappan, T. Ball, A. Zeller, Mining metrics to predict component failures, in: Proceedings of the 28th International Conference on Software Engineering, Shanghai, China, May 2006, pp. 452-461. (Pubitemid 46600942)
14. T. Menzies, J. Greenwald, and A. Frank Data mining static code attributes to learn defect predictors IEEE Transactions on Software Engineering 33 9 2007 2 13 (Pubitemid 46002165)
15. H. Zhang, X. Zhang, M. Gu, Predicting defective software components from code complexity measures, in: Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, Melbourne, Australia, December 2007, pp. 93-96.
16. W.M. Evanco, and W.W. Agresti A composite complexity approach for software defect modelling Software Quality Journal 3 1994 27 44
17. N. Fenton, P. Krause, and M. Neil A probabilistic model for software defect prediction IEEE Transactions on Software Engineering 2143 2001 444 453 (Pubitemid 33334693)
18. IEEE, IEEE Std. 982.1-1988 IEEE Standard Dictionary of Measures to Produce Reliable Software, The Institute of Electrical and Electronics Engineers, June 1988.
19. S.R. Chidamber, and C.F. Kemerer A metrics suite for object oriented design IEEE Transactions on Software Engineering 20 6 1994 476 493
20. N.E. Fenton, and S.L. Pfleeger Software Metrics: A Rigorous and Practical Approach 1997 PWS Publishing Co. Boston, MA, USA
21. T.J. McCabe A complexity measure IEEE Transactions on Software Engineering 2 4 1976 308 320
22. G.J. Myers, Composite/Structured Design, Van Nostrand Reinhold Company, New York, 1978.
23. W.A. Harrison, and K.I. Magel A complexity measure based on nesting level ACM Sigplan Notices 16 3 1981 63 74
24. S. Henry, and D. Kafura Software structure metrics based on information flow IEEE Transactions on Software Engineering 1981 510 518 (Pubitemid 12439180)
25. K. Ayari, P. Meshkinfam, G. Antoniol, M. Di Penta, Threats on Building Models from CVS and Bugzilla Repositories: the Mozilla Case Study, in: Proceedings of the 2007 Conference of the Center for Advanced Studies on Collaborative Research, Richmond Hill, Ontario, Canada, October 2007, pp. 215-228.
26. O.H. Alhazmi, Y.K. Malaiya, and I. Ray Measuring, analyzing and predicting security vulnerabilities in software systems Computers and Security 26 3 2007 219 228 (Pubitemid 46734415)
27. S. Neuhaus, T. Zimmermann, A. Zeller, Predicting vulnerable software components, in: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, October 2007, pp. 529-540.
28. M.Y. Liu, I. Traore, empirical relations between attackability and coupling: a case study on DoS, in: Proceedings of the 2006 ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, Ottawa, Canada, June 2006, pp. 57-64. (Pubitemid 44059947)
29. Y. Shin, L. Williams, Is complexity really the enemy of software security? in: Proceedings of the Fourth ACM Workshop on Quality of Protection, Alexandria, Virginia, USA, October 2008, pp. 47-50.
30. Y. Shin, L. Williams, An empirical model to predict security vulnerabilities using code complexity metrics, in: Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, Kaiserslautern, Germany, October 2008, pp. 315-317.
31. Y. Shin, Exploring complexity metrics as indicators of software vulnerability, in: Proceedings of the Third International Doctoral Symposium on Empirical Software Engineering, Kaiserslautem, Germany, October 2008, available from the author's website (accessed July 2009).
32. M. Gegick, L. Williams, M. Vouk, Predictive models for identifying software components prone to failure during security attacks, Technical Report, Department of Computer Science, North Carolina State University, USA, October 28, 2008.
33. I. Chowdhury, B. Chan, M. Zulkernine, Security metrics for source code structures, in: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, Leipzig, Germany, May 2008, pp. 57-64.
34. H. Malik, I. Chowdhury, H.M. Tsou, Z. Ziang, A.E. Hassan, Understanding the rationale for updating a function's comment, in: Proceeding of the 24th International Conference on Software Maintenance, Beijing, China, September 2008, pp. 167-176.
35. I. Chowdhury, M. Zulkernine, Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities? in: Proceedings of the 25th ACM Symposium on Applied Computing, Sierre, Switzerland, March 22-26, 2010.
36. J. Cohen, Statistical Power Analysis for the Behavioral Sciences, second ed., Academic Press, New York, 1988.
37. Mozilla Firefox, (accessed July 2009).
38. Bugzilla, (accessed July 2009).
39. Mozilla Vulnerabilities, (accessed July 2009).
40. Index of Mozilla FTP Server, (accessed July 2009).
41. Mozilla Developer Guide, (accessed July 2009).
42. SciTools Inc., (accessed July 2009).
43. SciTools Inc. Blog, (accessed July 2009).
44. Browser Statistics, (accessed July 2009).
45. The Linux Information Project, (accessed July 2009).
46. Security Advisory for Firefox 2.0, (accessed July 2009).
47. Mozilla Foundation Security Advisory 2008-27, (accessed July 2009).
48. Bug 423541 - (CVE-2008-2805) "Arbitrary file upload via originalTarget and DOM Range", https://bugzilla.mozilla.org/show-bug.cgi? id=423541 (accessed July 2009).
49. Diff Page for Bug 423541 in Mozilla Firefox, (accessed July 2009).
50. WEKA Toolkit, (accessed July 2009).
51. Common Vulnerabilities and Exposures, (accessed July 2009).
52. BeautifulSoup, (accessed July 2009).
53. StatPy: Statistical Computing with Python, (accessed July 2009).
54. Documentation of the Implemented Tool, (accessed July 2009).
55. E. Arisholm, L.C. Briand, M. Fuglerud, Data mining techniques for building fault-proneness models in telecom Java software, in: Proceedings of the 18th IEEE International Symposium on Software Reliability Engineering, Trollhättan, Sweden, November 2007, pp. 215-224.
56. T.J. Ostrand, E.J. Weyuker, How to measure success of fault prediction models, in: Proceedings of the Fourth International Workshop on Software Quality Assurance, Dubrovnik, Croatia, September 2007, pp. 25-30. (Pubitemid 351438745)
57. Y. Ma, L. Guo, and B. Cukic A Statistical Framework for the Prediction of Fault-Proneness 2006 Advances in Machine Learning Application in Software Engineering Idea Group Inc. pp. 237-265
58. I.H. Witten, and E. Frank Data Mining: Practical Machine Learning Tools and Techniques (2nd ed.) 2005 Morgan Kaufmann San Francisco
59. L. Kuang, M. Zulkernine, An anomaly intrusion detection method using the CSI-KNN algorithm, in: Proceedings of the 23rd Annual ACM Symposium on Applied Computing, Fortaleza, Brazil, March 2008, pp. 921-926.
60. J. Zhang, M. Zulkernine, and A. Haque Random forest-based network intrusion detection systems IEEE Transactions on Systems Man and Cybernetics 38 5 2008 648 658
61. A.E. Hassan, Predicting faults using the complexity of code changes, in: Proceedings of the 31st International Conference on Software Engineering, Vancouver, Canada, May 2009, pp. 45-56.
62. T. Zimmermann, R. Premraj, A. Zeller, Predicting defects for eclipse, in: Proceedings of the Third International Workshop on Predictor Models in Software Engineering, Washington, DC, USA, May 2007, pp. 9-15.
63. A.E. Hassan, Mining Software Repositories to Assist Developers and Support Managers, PhD. Thesis, University of Waterloo, 2004.
64. M. Philips The inevitability of punishing the innocent Journal of Philosophical Studies, Springer, Netherlands 48 3 1985 389 391
65. J. Rijsbergen, Information Retrieval, Second ed., Butterworth-Heinemann, 1979.
66. J.K. Kearney, R.L. Sedlmeyer, W.B. Thompson, M.A. Gray, and M.A. Adler Software complexity measurement ACM Communications 29 11 1986 1044 1050
67. M. Comuzzi, C. Kotsokalis, G. Spanoudakis, R. Yahyapour, Establishing and monitoring SLAs in complex service based systems, in: Proceedings of the Seventh IEEE International Conference on Web Services, CA, USA, July 2009, pp.783-790.
68. L. Bass, P. Clements, and R. Kazman Software Architecture in Practice, second ed. 2003 Addison-Wesley Boston p. 21
69. L.C. Briand, S.J. Carrire, R. Kazman, and J. Wüst COMPARE: a comprehensive framework for architecture evaluation Lecture Notes in Computer Science, Springer-Berlin 1543 1998 594
70. N. Landwehr, M. Hall, and E. Frank Logistic model trees J. Mach. Learn. 59 1-2 2005 161 205 (Pubitemid 40890416)
71. B. Henderson-Sellers, L. Constantine, and I. Graham Coupling and cohesion (towards a valid metrics suite for object-oriented analysis and design) Object-Oriented Systems 3 3 1996 143 158 (Pubitemid 126142254)