Ensemble Models for Vulnerability Prediction Using Code Metrics

Abstract

Software vulnerabilities are glitches or flaws that can be exploited by attackers to gain unauthorized control over systems. As such attacks can cause disastrous incidents related to information security, it becomes important to detect these vulnerabilities in code as early as possible. There have been multiple efforts towards building vulnerability prediction models (VPMs) using static string analysis and text mining in early 2000s. Those analysis tools were mostly some glorified forms of the famous regex tool grep. In this paper, we present a novel ensemble-based classification architecture that uses a stacking of advanced probabilistic machine learning classifiers to predict software vulnerabilities at project-level granularity. We have used static software metrics as features along with feature selection and have achieved much higher accuracy and precision scores than existing state of the works that use ensemble models for vulnerability prediction. Unfortunately, there was no suitable large-scale code metrics dataset present for C/C++ to the best of our knowledge. As part of this study, we have also created a large software metric dataset from projects and vulnerability testcases available on Software Assurance Reference Dataset (SARD) and made it publicly available for further research. © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2024.