A New Method of Security Bug Reports Analysis

Abstract

The investigation develops a method for improving the quality of security bug report (SBR) prediction during the software development and application processes. The research includes three stages. The first stage is preparing the source data. The second stage is constructing an original SBR prediction method using a machine learning algorithm [random forest (RF)]. The third stage is evaluating our method with well-established methods like filtering and ranking for security bug report prediction (FARSEC) and Keywords Matrix. It was shown that the values of such indicators as accuracy, precision, recall, and F-score when using the RF algorithm are, on average, 0.2–1% higher than when using the FARSEC and Keywords Matrix methods. The more initial number of reports the database contains, the higher the value of accuracy, precision, recall, and F-score that can be obtained. A new method can be used to predict SBRs during the software development and application processes.