Many coupling measures have been proposed in the context of object oriented (OO) systems. In addition, due to the numerous dependencies present in OO systems, several studies have highlighted the complexity of using dependency analysis to perform impact analysis. An alternative is to investigate the construction of probabilistic decision models based on coupling measurement to support impact analysis. In addition to providing an ordering of classes where ripple effects are more likely, such an approach is simple and can be automated. In our investigation, we perform a thorough analysis on a commercial C++ system where change data has been collected over several years. We identify the coupling dimensions that seem to be significantly related to ripple effects and use these dimensions to rank classes according to their probability of containing ripple effects. We then assess the expected effectiveness of such decision models.
The use of Unified Modeling Language (UML) analysis/design models on large projects leads to a large number of interdependent UML diagrams. As software systems evolve, those diagrams undergo changes to, for instance, correct errors or address changes in the requirements. Those changes can in turn lead to subsequent changes to other elements in the UML diagrams. Impact analysis is then defined as the process of identifying the potential consequences (side-effects) of a change, and estimating what needs to be modified to accomplish a change. In this article, we propose a UML model-based approach to impact analysis that can be applied before any implementation of the changes, thus allowing an early decision-making and change planning process. We first verify that the UML diagrams are consistent (consistency check). Then changes between two different versions of a UML model are identified according to a change taxonomy, and model elements that are directly or indirectly impacted by those changes (i.e., may undergo changes) are determined using formally defined impact analysis rules (written with Object Constraint Language). A measure of distance between a changed element and potentially impacted elements is also proposed to prioritize the results of impact analysis according to their likelihood of occurrence. We also present a prototype tool that provides automated support for our impact analysis strategy, that we then apply on a case study to validate both the implementation and methodology.
This article is a first attempt towards a comprehensive, systematic methodology for class interface testing in the context of client/server relationships. The proposed approach builds on and combines existing techniques. It first consists in selecting a subset of the method sequences defined for the class testing of the client class, based on an analysis of the interactions between the client and the server methods. Coupling information is then used to determine the conditions, i.e., values for parameters and data members, under which the selected client method sequences are to be executed so as to exercise the interaction. The approach is illustrated by means of an abstract example and its cost-effectiveness is evaluated through a case study.
This technical report details our a semi-automated framework for the reverseengineering and testing of access control (AC) policies for web-based applications. In practice, AC specifications are often missing or poorly documented, leading to AC vulnerabilities. Our goal is to learn and recover AC policies from implementation, and assess them to find AC issues. Built on top of a suite of security tools, our framework automatically explores a system under test, mines domain input specifications from access request logs, and then, generates and executes more access requests using combinatorial test generation. We apply machine learning on the obtained data to characterise relevant attributes that influence access control to learn policies. Finally, the inferred policies are used for detecting AC issues, being vulnerabilities or implementation errors. We have evaluated our framework on three open-source applications with respect to correctness and completeness. The results are very promising in terms of the quality of inferred policies, more than 94% of them are correct with respect to implemented AC mechanisms. The remaining incorrect policies are mainly due to our unrefined permission classification. Moreover, a careful analysis of these policies has revealed 92 vulnerabilities, many of them are new.
Current cost estimation techniques have a number of drawbacks. For example, developing algorithmic models requires extensive past project data. Also, off-the-shelf models have been found to be difficult to calibrate but inaccurate without calibration. Informal approaches based on experienced estimators depend on estimators' availability and are not easily repeatable, as well as not being much more accurate than algorithmic techniques. We present a method for cost estimation that combines aspects of algorithmic and experiential approaches (referred to as COBRA, COst estimation, Benchmarking, and Risk Assessment). We find through a case study that cost estimates using COBRA show an average ARE of 0.09. Although we do not have the room to describe the benchmarking and risk assessment parts, the reader will find detailed information in (Briand et al., 1997).
Data quality is crucial in modern software systems, like data-driven decision support systems. However, data quality is affected by data anomalies, which represent instances that deviate from most of the data. These anomalies affect the reliability and trustworthiness of software systems, and may propagate and cause more issues. Although many anomaly detection approaches have been proposed, they mainly focus on numerical data. Moreover, the few approaches targeting anomaly detection for categorical data do not yield consistent results across datasets. In this paper, we propose a novel anomaly detection approach for categorical data named LAFF-AD (LAFF-based Anomaly Detection), which takes advantage of the learning ability of a state-of-the-art form filling tool (LAFF) to perform value inference on suspicious data. LAFF-AD runs a variant of LAFF that predicts the possible values of a suspicious categorical field in the suspicious instance. LAFF-AD then compares the output of LAFF to the recorded values in the suspicious instance, and uses a heuristic-based strategy to detect categorical data anomalies. We evaluated LAFF-AD by assessing its effectiveness and efficiency on six datasets. Our experimental results show that LAFF-AD can accurately determine a high range of data anomalies, with recall values between 0.6 and 1 and a precision value of at least 0.808. Furthermore, LAFF-AD is efficient, taking at most 7000 s and 735 ms to perform training and prediction, respectively.
'/%3e%3cpath id='l' d='M-26.25 0h52.5v-12h-40.5v-16h33v-12h-33v-11H25v-12h-51.25z'/%3e%3cpath id='k' d='M-31.5 0h12v-48l14 48h11l14-48V0h12v-70H14L0-22l-14-48h-17.5z'/%3e%3cpath id='b' fill-rule='evenodd' d='M0 0a31.5 35 0 0 0 0-70A31.5 35 0 0 0 0 0m0-13a18.5 22 0 0 0 0-44 18.5 22 0 0 0 0 44'/%3e%3cpath id='d' fill-rule='evenodd' d='M-31.5 0h13v-26h28a22 22 0 0 0 0-44h-40zm13-39h27a9 9 0 0 0 0-18h-27z'/%3e%3cpath id='n' d='M-15.75-22C-15.75-15-9-11.5 1-11.5s14.74-3.25 14.75-7.75c0-14.25-46.75-5.25-46.5-30.25C-30.5-71-6-70 3-70s26 4 25.75 21.25H13.5c0-7.5-7-10.25-15-10.25-7.75 0-13.25 1.25-13.25 8.5-.25 11.75 46.25 4 46.25 28.75C31.5-3.5 13.5 0 0 0c-11.5 0-31.55-4.5-31.5-22z'/%3e%3cuse xlink:href='%23a' id='o' transform='scale(31.5)'/%3e%3cuse xlink:href='%23a' id='p' transform='scale(26.25)'/%3e%3cuse xlink:href='%23a' id='r' transform='scale(21)'/%3e%3cuse xlink:href='%23a' id='q' transform='scale(15)'/%3e%3cuse xlink:href='%23a' id='s' transform='scale(10.5)'/%3e%3cg id='m'%3e%3cclipPath id='c'%3e%3cpath d='M-31.5 0v-70h63V0zM0-47v12h31.5v-12z'/%3e%3c/clipPath%3e%3cuse xlink:href='%23b' clip-path='url(%23c)'/%3e%3cpath d='M5-35h26.5v10H5z'/%3e%3cpath d='M21.5-35h10V0h-10z'/%3e%3c/g%3e%3cg id='h'%3e%3cuse xlink:href='%23d'/%3e%3cpath d='M28 0c0-10 0-32-15-32H-6c22 0 22 22 22 32'/%3e%3c/g%3e%3cg id='a' fill='%23fff'%3e%3cg id='f'%3e%3cpath id='e' d='M0-1v1h.5' transform='rotate(18 0 -1)'/%3e%3cuse xlink:href='%23e' transform='scale(-1 1)'/%3e%3c/g%3e%3cuse xlink:href='%23f' transform='rotate(72)'/%3e%3cuse xlink:href='%23f' transform='rotate(-72)'/%3e%3cuse xlink:href='%23f' transform='rotate(144)'/%3e%3cuse xlink:href='%23f' transform='rotate(216)'/%3e%3c/g%3e%3c/defs%3e%3crect width='100%25' height='100%25' x='-50%25' y='-50%25' fill='%23009b3a'/%3e%3cpath fill='%23fedf00' d='M-1743 0 0 1113 1743 0 0-1113z'/%3e%3ccircle r='735' fill='%23002776'/%3e%3cclipPath id='g'%3e%3ccircle r='735'/%3e%3c/clipPath%3e%3cpath fill='%23fff' d='M-2205 1470a1785 1785 0 0 1 3570 0h-105a1680 1680 0 1 0-3360 0z' clip-path='url(%23g)'/%3e%3cg fill='%23009b3a' transform='translate(-420 1470)'%3e%3cuse xlink:href='%23b' y='-1697.5' transform='rotate(-7)'/%3e%3cuse xlink:href='%23h' y='-1697.5' transform='rotate(-4)'/%3e%3cuse xlink:href='%23i' y='-1697.5' transform='rotate(-1)'/%3e%3cuse xlink:href='%23j' y='-1697.5' transform='rotate(2)'/%3e%3cuse xlink:href='%23k' y='-1697.5' transform='rotate(5)'/%3e%3cuse xlink:href='%23l' y='-1697.5' transform='rotate(9.75)'/%3e%3cuse xlink:href='%23d' y='-1697.5' transform='rotate(14.5)'/%3e%3cuse xlink:href='%23h' y='-1697.5' transform='rotate(17.5)'/%3e%3cuse xlink:href='%23b' y='-1697.5' transform='rotate(20.5)'/%3e%3cuse xlink:href='%23m' y='-1697.5' transform='rotate(23.5)'/%3e%3cuse xlink:href='%23h' y='-1697.5' transform='rotate(26.5)'/%3e%3cuse xlink:href='%23j' y='-1697.5' transform='rotate(29.5)'/%3e%3cuse xlink:href='%23n' y='-1697.5' transform='rotate(32.5)'/%3e%3cuse xlink:href='%23n' y='-1697.5' transform='rotate(35.5)'/%3e%3cuse xlink:href='%23b' y='-1697.5' transform='rotate(38.5)'/%3e%3c/g%3e%3cuse xlink:href='%23o' x='-600' y='-132'/%3e%3cuse xlink:href='%23o' x='-535' y='177'/%3e%3cuse xlink:href='%23p' x='-625' y='243'/%3e%3cuse xlink:href='%23q' x='-463' y='132'/%3e%3cuse xlink:href='%23p' x='-382' y='250'/%3e%3cuse xlink:href='%23r' x='-404' y='323'/%3e%3cuse xlink:href='%23o' x='228' y='-228'/%3e%3cuse xlink:href='%23o' x='515' y='258'/%3e%3cuse xlink:href='%23r' x='617' y='265'/%3e%3cuse xlink:href='%23p' x='545' y='323'/%3e%3cuse xlink:href='%23p' x='368' y='477'/%3e%3cuse xlink:href='%23r' x='367' y='551'/%3e%3cuse xlink:href='%23r' x='441' y='419'/%3e%3cuse xlink:href='%23p' x='500' y='382'/%3e%3cuse xlink:href='%23r' x='365' y='405'/%3e%3cuse xlink:href='%23p' x='-280' y='30'/%3e%3cuse xlink:href='%23r' x='200' y='-37'/%3e%3cuse xlink:href='%23o' y='330'/%3e%3cuse xlink:href='%23p' x='85' y='184'/%3e%3cuse xlink:href='%23p' y='118'/%3e%3cuse xlink:href='%23r' x='-74' y='184'/%3e%3cuse xlink:href='%23q' x='-37' y='235'/%3e%3cuse xlink:href='%23p' x='220' y='495'/%3e%3cuse xlink:href='%23r' x='283' y='430'/%3e%3cuse xlink:href='%23r' x='162' y='412'/%3e%3cuse xlink:href='%23o' x='-295' y='390'/%3e%3cuse xlink:href='%23s' y='575'/%3e%3c/svg%3e)