Please use this identifier to cite or link to this item:
Title: Vulnerable Code Detection Using Software Metrics and Machine Learning
Authors: Medeiros, Nadia 
Ivaki, Naghmeh 
Costa, Pedro 
Vieira, Marco 
Keywords: Application scenarios; machine learning; software metrics; software security; security vulnerabilities
Issue Date: 2020
Serial title, monograph or event: IEEE Access
Volume: 8
Abstract: Software metrics are widely-used indicators of software quality and several studies have shown that such metrics can be used to estimate the presence of vulnerabilities in the code. In this paper, we present a comprehensive experiment to study how effective software metrics can be to distinguish the vulnerable code units from the non-vulnerable ones. To this end, we use several machine learning algorithms (Random Forest, Extreme Boosting, Decision Tree, SVM Linear, and SVM Radial) to extract vulnerability-related knowledge from software metrics collected from the source code of several representative software projects developed in C/CCC (Mozilla Firefox, Linux Kernel, Apache HTTPd, Xen, and Glibc). We consider different combinations of software metrics and diverse application scenarios with different security concerns (e.g., highly critical or non-critical systems). This experiment contributes to understanding whether software metrics can effectively be used to distinguish vulnerable code units in different application scenarios, and howcan machine learning algorithms help in this regard. The main observation is that using machine learning algorithms on top of software metrics helps to indicate vulnerable code units with a relatively high level of con dence for security-critical software systems (where the focus is on detecting the maximum number of vulnerabilities, even if false positives are reported), but they are not helpful for low-critical or non-critical systems due to the high number of false positives (that bring an additional development cost frequently not affordable).
ISSN: 2169-3536
DOI: 10.1109/ACCESS.2020.3041181
Rights: openAccess
Appears in Collections:I&D CISUC - Artigos em Revistas Internacionais

Files in This Item:
Show full item record


checked on Nov 17, 2022

Page view(s)

checked on Sep 25, 2023


checked on Sep 25, 2023

Google ScholarTM




This item is licensed under a Creative Commons License Creative Commons