cicyt UNIZAR
Full-text links:

Download:

Current browse context:

cs.SE

Change to browse by:

cs

References & Citations

DBLP - CS Bibliography

Bookmark

(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Software Engineering

Title: Cost-aware Vulnerability Prediction: the HARMLESS Approach

Abstract: Society needs more secure software. But predicting vulnerabilities is difficult and existing methods are not applied in practical use due to various limitations. The goal of this paper is to design a vulnerability prediction method in a cost-aware manner so that it can balance the percentage of vulnerabilities found against the cost of human effort on security review and test. To this purpose, this paper presents HARMLESS, an incremental vulnerability prediction tool. HARMLESS is an active learner that (a) builds a support vector machine on the source code files reviewed to date; then (b) suggests what other source code files might have vulnerabilities and need to be reviewed next. A unique feature of HARMLESS is that HARMLESS can estimate the number of remaining vulnerabilities. To the best of our knowledge, HARMLESS is the first tool providing such estimation in the arena of vulnerability prediction. Using that estimator, HARMLESS can guide the security review and test to any level of desired recall, i.e. percentage of vulnerabilities found. In experiments on a case study of Mozilla Firefox project, HARMLESS found 90, 95, 99% of known vulnerabilities by reviewing and testing 26, 33, 45% of the source code files, respectively.
Comments: 10+1 pages, 2 figures, 5 tables. Submitted to ESEC/FSE 2018
Subjects: Software Engineering (cs.SE)
Cite as: arXiv:1803.06545 [cs.SE]
  (or arXiv:1803.06545v1 [cs.SE] for this version)

Submission history

From: Zhe Yu [view email]
[v1] Sat, 17 Mar 2018 17:51:02 GMT (278kb,D)