Document Type : Original Article


Computer Engineering Group, Engineering Campus, Yazd University, Yazd, Iran


Prediction of software vulnerabilities-severity is of particular importance. Its most important application is that managers can first deal with the most dangerous vulnerabilities when they have limited resources. This research shows how we can use the former patterns of software vulnerabilities-severity along with machine learning methods to predict the vulnerabilities severity of that software in the future. In this regard, we used the SVM, Decision Trees (DT), Random Forests (RF), K Nearest Neighbors (KNN), bagging and AdaBoost algorithms along with the already reported vulnerabilities of Google Android applications, Apple Safari and the Flash Player. The experimental results showed that the Bagging algorithm can predict Google Android vulnerability with accuracy of 78.21% and f1-measure equal to 77%, the vulnerability of the Flash Player software with accuracy of 82.37% and f1-measure equal to 87.73% and predict the vulnerability severity of the Apple Safari with accuracy of  70.58% and f1-measure equal to 70%. The novelty of this research is introduction of a new method for prediction of software vulnerabilities severity.


Main Subjects

  1. Yuan, Xiaoyong, et al. “Adversarial Examples: Attacks and Defenses for Deep Learning.”  IEEE Transactions on Neural Network,,  2019, pp. 1–20..
  2. M. Tajamolian, and M. Ghasemzadeh. “A Versioning Approach to VM Live Migration.”  International  Journal of  Engineering, Transactions B:  Applications,  vol. 31,  no. 11, 2018,  pp. 1838–1845.
  3. O. H. Alhazmi and Y. K. Malaiya, ‘Prediction capabilities of vulnerability discovery models’, in RAMS ’06. Annual Reliability and Maintainability Symposium, 2006. 2006, pp. 86–91.
  4. S. Rahimi and M. Zargham, ‘Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database’, IEEE Transactions on Reliability, vol. 62, no. 2, pp. 395–407, 2013.
  5. R. Scandariato, J. Walden, A. Hovsepyan, and W. Joosen, ‘Predicting vulnerable software components via text mining’, IEEE Transactions on Software Engineering, 2014.
  6. Y. Shin and L. Williams, ‘An empirical model to predict security vulnerabilities using code complexity metrics’, Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement - ESEM ’08, 2008
  7. Y. Shin and L. Williams, ‘Is Complexity Really the Enemy of Software Security’,, Proc. the 4th ACM Workshop on Quality of Protection, Alexandria, Virginia, USA, Oct. 2008.
  8. Y. Shin, A. Meneely, L. Williams, and J. A. Osborne, ‘Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities’, IEEE Transactions on Software Engineering, 2011.
  9. Y. Shin and L. Williams, ‘Can traditional fault prediction models be used for vulnerability prediction?’, Empirical Software Engineering, 2013.
  10. E. Rescorla, ‘Is finding security holes a good idea?’, IEEE Security and Privacy. 2005
  11. R. Scandariato and J. Walden, ‘Predicting vulnerable classes in an Android application’, Proceedings of the 4th international workshop on Security measurements and metrics - MetriSec ’12, 2012.
  12. V. H. Nguyen and L. M. S. Tran, ‘Predicting vulnerable software components with dependency graphs’, Proceedings of the 6th International Workshop on Security Measurements and Metrics - MetriSec ’10, New York, USA: ACM Press. pp. 3–10, 2010.
  13. C. Nie, X. Zhao, K. Chen, and Z. Han, ‘An software vulnerability number prediction model based on micro-parameters’, Jisuanji Yanjiu yu Fazhan/Computer Research and Development, 2011.
  14. J. D. Musa and K. Okumoto, ‘A logarithmic poisson execution time model for software reliability measurement’, in Proceedings of the 7th international conference on Software engineering, 1984, pp. 81–87.
  15. R. Anderson, ‘Security in Open versus Closed Systems - The Dance of Boltzmann, Coase and Moore’, vol. 4, no. 15, pp. 121–127, 2002.
  16. Geng, Jinkun, Daren Ye, and Ping Luo. 2015. “Forecasting Severity of Software Vulnerability Using Grey Model GM(1,1).” In 2015 IEEE Advanced Information Technology, Electronic and Automation Control Conference (IAEAC), 344–48.
  17. U.S Department of commerce, “NVD. National Vulnerability Database.“ [Online]. Available at: [Accessed: 106-May-2019].
  18. Ian H Witten, and Frank Eibe. Data Mining: Practical Machine Learning Tools with Java Implementations. 1999.