Predicting Attack-prone Components with Internal Metrics

Extensive research has shown that reliability models based upon software metrics can be used to predict which components are faultand/or failure-prone early in the development process. In this research, we seek to parallel failure-prone component prediction with security models to predict which components are attack-prone. Security experts can use these models to make informed risk management decisions and to prioritize redesign, inspection, and testing efforts. We collected and analyzed data from a large commercial telecommunications software system containing over one million lines of code that had been deployed to the field for two years. Using recursive partitioning and logistic regression, we built attack-prone prediction models with the following metrics: static analysis tool output, code churn, source lines of code, failure reports from feature/system testing, and customer-reported failures. The models were validated against k-fold cross-validation and ROC curves. One model identified 100% of the attack-prone components with an 8% false positive rate.