Journal:
Information and Software Technology, Vol. 164, 2023.

Authors:
Kalouptsoglou I, Siavvas M, Ampatzoglou A, Kehagias D, Chatzigeorgiou A.

Abstract:
Context: Software security is considered a major aspect of software quality as the number of discovered vulnerabilities in software products is growing. Vulnerability prediction is a mechanism that helps engineers to prioritize their inspection efforts focusing on vulnerable parts. Despite the recent advancements, current literature lacks a systematic mapping study on vulnerability prediction.
Objective: This paper aims to analyze the state-of-the-art of vulnerability  prediction focusing on: (a) the goals of vulnerability prediction-related studies; (b) the data collection processes and the types of datasets that exist in the literature; (c) the mostly examined techniques for the construction of the prediction models and their input features; and (d) the utilized evaluation techniques.
Method: We collected 180 primary studies following a broad search methodology across four popular digital libraries. We mapped these studies to the variables of interest and we identified trends and relationships between the studies.
Results: The main findings suggest that: (i) there are two major study types, prediction of vulnerable software components and forecasting of the evolution of vulnerabilities in software; (ii) most studies construct their own vulnerability-related dataset retrieving information from vulnerability databases for real-world software; (iii) there is a growing interest for deep learning models along with a trend on textual source code representation; and (iv) F1-score was found to be the most widely used evaluation metric.
Conclusions: The results of our study indicate that there are several open challenges in the domain of vulnerability prediction. One of the major conclusions, is the fact that most studies focus on within-project prediction, neglecting the real-world scenario of cross-project prediction.

Journal:
Entropy 2022, 24, 651.

Authors:
Kalouptsoglou I, Siavvas M, Kehagias D, Chatzigeorgiou A, Ampatzoglou A.

Abstract:
Software security is a very important aspect for software development organizations who wish to provide high-quality and dependable software to their consumers. A crucial part of software security is the early detection of software vulnerabilities. Vulnerability prediction is a mechanism that facilitates the identification (and, in turn, the mitigation) of vulnerabilities early enough during the software development cycle. The scientific community has recently focused a lot of attention on developing Deep Learning models using text mining techniques for predicting the existence of vulnerabilities in software components. However, there are also studies that examine whether the utilization of statically extracted software metrics can lead to adequate Vulnerability Prediction Models. In this paper, both software metrics- and text mining-based Vulnerability Prediction Models are constructed and compared. A combination of software metrics and text tokens using deeplearning models is examined as well in order to investigate if a combined model can lead to more accurate vulnerability prediction. For the purposes of the present study, a vulnerability dataset containing vulnerabilities from real-world software products is utilized and extended. The results of our analysis indicate that text mining-based models outperform software metrics-based models with respect to their F2-score, whereas enriching the text mining-based models with software metrics was not found to provide any added value to their predictive performance.

Conference:
EuroCybersec2021 Workshop

Authors:
Kalouptsoglou I, Siavvas M, Kehagias D, Chatzigeorgiou A, Ampatzoglou A.

Abstract:

Software security is a critical consideration for software development companies that want to provide their customers with high quality and dependable software. The automated detection of software vulnerabilities is a critical aspect in software security. Vulnerability prediction is a mechanism that enables the detection and mitigation of software vulnerabilities early enough in the development cycle. Recently the scientific community has dedicated a lot of effort on the design of Deep learning models based on text mining techniques. Initially, Bag-of-Words was the most promising method but recently more complex models have been proposed focusing on the sequences of instructions in the source code. Recent research endeavours have started utilizing word embedding vectors, which are widely used in text classification tasks like semantic analysis, for representing the words (i.e., code instructions) in vector format. These vectors could be trained either jointly with the other layers of the neural network, or they can be pre-trained using popular algorithms like word2vec and fast-text. In this paper, we empirically examine whether the utilization of word embedding vectors that are pre-trained separately from the vulnerability predictor could lead to more accurate vulnerability prediction models. For the purposes of the present study, a popular vulnerability dataset maintained by NIST was utilized. The results of the analysis suggest that pre-training the embedding vectors separately from the neural network leads to better vulnerability predictors with respect to their effectiveness and performance.