Visible to the public Vulnerability and Resilience Prediction Models - April 2017Conflict Detection Enabled

Submitted by drwright on Mon, 03/20/2017 - 7:15pm

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s):  Mladen Vouk, Laurie Williams
Researchers:  Akond Rahman

HARD PROBLEM(S) ADDRESSED

  • Security Metrics and Models
  • Resilient Architectures
  • Scalability and Composability

Resilience of software to attacks is an open problem. Resilience depends on the science behind the approach used, as well as on our engineering abilities, and our ability to manage errors introduced by human factors. The scope includes recognition of attacks through metrics and models we use to describe and identify software vulnerabilities, and the models we use to predict resilience to attacks in the field (Security Metrics and Models). It also depends on the software (and system) architecture(s) used (Resilient Architectures), and their scalability (Scalability and Composability). For example, if one has a number of highly attack-resilient components and appropriate attack sensors, is it possible to compose a resilient system from these parts, and how does that solution scale and age?

Vulnerability prediction models can be used to prioritize security-related validation and verification efforts to the most risky parts of a project.  We draw inspiration from these studies and identify the possibility of applying data mining techniques to predict vulnerabilities during design, development and operational phases. In order to provide end-to-end run-time resilience a pro-active approach to securing sensitive workflows end-to-end is needed..We draw inspiration for this from classical high assurance safety considerations in combination with integrity, confidentiality, and availability models and constraints relevant to preservation of security, privacy and compliance properties.

PUBLICATIONS

  • Rahman, A., Pradhan, P., Partho, A., and Williams, L., Predicting Android Application Security and Privacy Risk With Static Code Metrics, Short paper, 4th IEEE/ACM International Conference on Mobile Software Engineering and Systems, Buenos Aires, Argentina, to appear.

  • Rahman, A., Partho, A., Meder, D., and Williams, L., Which Factors Influence Usage of Build Automation Tools? International Conference on Software Engineering (ICSE), 3rd International Workshop on Rapid Continuous Software Engineering (RCoSE) 2017, Buenos Aires, Argentina, to appear

ACCOMPLISHMENT HIGHLIGHTS

  • We built a prediction model using static code metrics as predictors to aid Android application developers in assessing the security and privacy risk associated with Android applications by using static code metrics as predictors.
  • We identified the adoption factors that influence usage of build automation tools.  Build automation tools can aid organizations in deploying securely configured projects.

 

Groups: