{"title":"使用预测模型对易受攻击的组件进行排名","authors":"M. Gegick, L. Williams","doi":"10.1109/ISSRE.2008.24","DOIUrl":null,"url":null,"abstract":"Limited resources preclude software engineers from finding and fixing all vulnerabilities in a software system. An early security risk analysis that ranks software components by probability of being attacked can provide an affordable means to prioritizing fortification efforts to the highest risk components. We created a predictive model using classification and regression trees and the following internal metrics: quantity of Klocwork static analysis warnings, file coupling, and quantity of changed and added lines of code. We validated the model against pre-release security testing failures on a large commercial telecommunications system. The model assigned a probability of attack to each file where upon ranking the probabilities in descending order we found that 72% of the attack-prone files are in the top 10% of the ranked files and 90% in the top 20% of the files.","PeriodicalId":448275,"journal":{"name":"2008 19th International Symposium on Software Reliability Engineering (ISSRE)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2008-11-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":"{\"title\":\"Ranking Attack-Prone Components with a Predictive Model\",\"authors\":\"M. Gegick, L. Williams\",\"doi\":\"10.1109/ISSRE.2008.24\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Limited resources preclude software engineers from finding and fixing all vulnerabilities in a software system. An early security risk analysis that ranks software components by probability of being attacked can provide an affordable means to prioritizing fortification efforts to the highest risk components. We created a predictive model using classification and regression trees and the following internal metrics: quantity of Klocwork static analysis warnings, file coupling, and quantity of changed and added lines of code. We validated the model against pre-release security testing failures on a large commercial telecommunications system. The model assigned a probability of attack to each file where upon ranking the probabilities in descending order we found that 72% of the attack-prone files are in the top 10% of the ranked files and 90% in the top 20% of the files.\",\"PeriodicalId\":448275,\"journal\":{\"name\":\"2008 19th International Symposium on Software Reliability Engineering (ISSRE)\",\"volume\":\"3 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2008-11-10\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"10\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2008 19th International Symposium on Software Reliability Engineering (ISSRE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ISSRE.2008.24\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2008 19th International Symposium on Software Reliability Engineering (ISSRE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSRE.2008.24","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Ranking Attack-Prone Components with a Predictive Model
Limited resources preclude software engineers from finding and fixing all vulnerabilities in a software system. An early security risk analysis that ranks software components by probability of being attacked can provide an affordable means to prioritizing fortification efforts to the highest risk components. We created a predictive model using classification and regression trees and the following internal metrics: quantity of Klocwork static analysis warnings, file coupling, and quantity of changed and added lines of code. We validated the model against pre-release security testing failures on a large commercial telecommunications system. The model assigned a probability of attack to each file where upon ranking the probabilities in descending order we found that 72% of the attack-prone files are in the top 10% of the ranked files and 90% in the top 20% of the files.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
