{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,28]],"date-time":"2026-03-28T17:07:52Z","timestamp":1774717672560,"version":"3.50.1"},"reference-count":33,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2022,5,5]],"date-time":"2022-05-05T00:00:00Z","timestamp":1651708800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"European Union\u2019s Horizon 2020 research and innovation program","award":["952684"],"award-info":[{"award-number":["952684"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Entropy"],"abstract":"<jats:p>Software security is a very important aspect for software development organizations who wish to provide high-quality and dependable software to their consumers. A crucial part of software security is the early detection of software vulnerabilities. Vulnerability prediction is a mechanism that facilitates the identification (and, in turn, the mitigation) of vulnerabilities early enough during the software development cycle. The scientific community has recently focused a lot of attention on developing Deep Learning models using text mining techniques for predicting the existence of vulnerabilities in software components. However, there are also studies that examine whether the utilization of statically extracted software metrics can lead to adequate Vulnerability Prediction Models. In this paper, both software metrics- and text mining-based Vulnerability Prediction Models are constructed and compared. A combination of software metrics and text tokens using deep-learning models is examined as well in order to investigate if a combined model can lead to more accurate vulnerability prediction. For the purposes of the present study, a vulnerability dataset containing vulnerabilities from real-world software products is utilized and extended. The results of our analysis indicate that text mining-based models outperform software metrics-based models with respect to their F2-score, whereas enriching the text mining-based models with software metrics was not found to provide any added value to their predictive performance.<\/jats:p>","DOI":"10.3390\/e24050651","type":"journal-article","created":{"date-parts":[[2022,5,5]],"date-time":"2022-05-05T13:10:26Z","timestamp":1651756226000},"page":"651","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":21,"title":["Examining the Capacity of Text Mining and Software Metrics in Vulnerability Prediction"],"prefix":"10.3390","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5118-2508","authenticated-orcid":false,"given":"Ilias","family":"Kalouptsoglou","sequence":"first","affiliation":[{"name":"Centre for Research and Technology Hellas, 57001 Thessaloniki, Greece"},{"name":"Department of Applied Informatics, University of Macedonia, 54636 Thessaloniki, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3251-8723","authenticated-orcid":false,"given":"Miltiadis","family":"Siavvas","sequence":"additional","affiliation":[{"name":"Centre for Research and Technology Hellas, 57001 Thessaloniki, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6912-3493","authenticated-orcid":false,"given":"Dionysios","family":"Kehagias","sequence":"additional","affiliation":[{"name":"Centre for Research and Technology Hellas, 57001 Thessaloniki, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Alexandros","family":"Chatzigeorgiou","sequence":"additional","affiliation":[{"name":"Department of Applied Informatics, University of Macedonia, 54636 Thessaloniki, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Apostolos","family":"Ampatzoglou","sequence":"additional","affiliation":[{"name":"Department of Applied Informatics, University of Macedonia, 54636 Thessaloniki, Greece"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2022,5,5]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Shin, Y., and Williams, L. (2008, January 27). Is complexity really the enemy of software security?. Proceedings of the 4th ACM Workshop on Quality of Protection, Alexandria, VA, USA.","DOI":"10.1145\/1456362.1456372"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Shin, Y., and Williams, L. (2008, January 9). An empirical model to predict security vulnerabilities using code complexity metrics. Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, Kaiserslautern, Germany.","DOI":"10.1145\/1414004.1414065"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"294","DOI":"10.1016\/j.sysarc.2010.06.003","article-title":"Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities","volume":"57","author":"Chowdhury","year":"2011","journal-title":"J. Syst. Archit."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Pang, Y., Xue, X., and Wang, H. (2017, January 2). Predicting vulnerable software components through deep neural network. Proceedings of the 2017 International Conference on Deep Learning Technologies, Chengdu, China.","DOI":"10.1145\/3094243.3094245"},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Li, Z., Zou, D., Xu, S., Ou, X., Jin, H., Wang, S., Deng, Z., and Zhong, Y. (2018). Vuldeepecker: A deep learning-based system for vulnerability detection. arXiv.","DOI":"10.14722\/ndss.2018.23158"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"240","DOI":"10.1109\/TSE.2006.38","article-title":"On the value of static analysis for fault detection in software","volume":"32","author":"Zheng","year":"2006","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Gegick, M., and Williams, L. (2007, January 1\u20135). Toward the use of automated static analysis alerts for early identification of vulnerability-and attack-prone components. Proceedings of the Second International Conference on Internet Monitoring and Protection (ICIMP 2007), San Jose, CA, USA.","DOI":"10.1109\/ICIMP.2007.46"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Neuhaus, S., Zimmermann, T., Holler, C., and Zeller, A. (2007, January 2). Predicting vulnerable software components. Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA.","DOI":"10.1145\/1315245.1315311"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Hovsepyan, A., Scandariato, R., Joosen, W., and Walden, J. (2012, January 21). Software vulnerability prediction using text analysis techniques. Proceedings of the 4th International Workshop on Security Measurements and Metrics, Lund, Sweden.","DOI":"10.1145\/2372225.2372230"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Walden, J., Stuckman, J., and Scandariato, R. (2014, January 3\u20136). Predicting vulnerable components: Software metrics vs text mining. Proceedings of the 2014 IEEE 25th International Symposium on Software Reliability Engineering, Naples, Italy.","DOI":"10.1109\/ISSRE.2014.32"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Zhang, Y., Lo, D., Xia, X., Xu, B., Sun, J., and Li, S. (2015, January 9\u201312). Combining software metrics and text features for vulnerable file prediction. Proceedings of the 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS), Gold Coast, Australia.","DOI":"10.1109\/ICECCS.2015.15"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Ferenc, R., Heged\u0171s, P., Gyimesi, P., Antal, G., B\u00e1n, D., and Gyim\u00f3thy, T. (2019, January 28\u201328). Challenging machine learning algorithms in predicting vulnerable javascript functions. Proceedings of the 2019 IEEE\/ACM 7th International Workshop on Realizing Artificial Intelligence Synergies in Software Engineering (RAISE), Montreal, QC, Canada.","DOI":"10.1109\/RAISE.2019.00010"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"e1249","DOI":"10.1002\/widm.1249","article-title":"Ensemble learning: A survey","volume":"8","author":"Sagi","year":"2018","journal-title":"Wiley Interdiscip. Rev. Data Min. Knowl. Discov."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"297","DOI":"10.1109\/TSE.2003.1191795","article-title":"Empirical analysis of ck metrics for object-oriented design complexity: Implications for software defects","volume":"29","author":"Subramanyam","year":"2003","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Goyal, P.K., and Joshi, G. (2014, January 7\u20138). QMOOD metric sets to assess quality of Java program. Proceedings of the 2014 International Conference on Issues and Challenges in Intelligent Computing Techniques (ICICT), Ghaziabad, India.","DOI":"10.1109\/ICICICT.2014.6781337"},{"key":"ref_16","unstructured":"Mikolov, T., Chen, K., Corrado, G., and Dean, J. (2013). Efficient estimation of word representations in vector space. arXiv."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1007\/BF00058655","article-title":"Bagging predictors","volume":"24","author":"Breiman","year":"1996","journal-title":"Mach. Learn."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"105","DOI":"10.1023\/A:1007515423169","article-title":"An empirical comparison of voting classification algorithms: Bagging, boosting, and variants","volume":"36","author":"Bauer","year":"1999","journal-title":"Mach. Learn."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Kalouptsoglou, I., Siavvas, M., Tsoukalas, D., and Kehagias, D. (2020, January 4). Cross-project vulnerability prediction based on software metrics and deep learning. Proceedings of the International Conference on Computational Science and Its Applications, Cagliary, Italy.","DOI":"10.1007\/978-3-030-58811-3_62"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1016\/S1361-3723(13)70045-9","article-title":"Using complexity metrics to improve software security","volume":"2013","author":"Moshtari","year":"2013","journal-title":"Comput. Fraud. Secur."},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Moshtari, S., and Sami, A. (2016, January 4\u20138). Evaluating and comparing complexity, coupling and a new proposed set of coupling metrics in cross-project vulnerability prediction. Proceedings of the 31st Annual ACM Symposium on Applied Computing, Pisa, Italy.","DOI":"10.1145\/2851613.2851777"},{"key":"ref_22","unstructured":"Yu, Z., Theisen, C., Sohn, H., Williams, L., and Menzies, T. (2018). Cost-aware vulnerability prediction: The HARMLESS approach. arXiv."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Russell, R., Kim, L., Hamilton, L., Lazovich, T., Harer, J., Ozdemir, O., Ellingwood, P., and McConley, M. (2018, January 17\u201320). Automated vulnerability detection in source code using deep representation learning. Proceedings of the 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), Orlando, FL, USA.","DOI":"10.1109\/ICMLA.2018.00120"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1109\/TSE.2018.2881961","article-title":"Automatic feature learning for predicting vulnerable software components","volume":"47","author":"Dam","year":"2018","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_25","first-page":"2546","article-title":"Algorithms for hyper-parameter optimization","volume":"24","author":"Bergstra","year":"2011","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Chen, L. (2009). Curse of dimensionality. Encyclopedia of Database Systems, Springer.","DOI":"10.1007\/978-0-387-39940-9_133"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1145\/1041685.1029909","article-title":"Correlation exploitation in error ranking","volume":"29","author":"Kremenek","year":"2004","journal-title":"Acm Sigsoft Softw. Eng. Notes"},{"key":"ref_28","unstructured":"Varma, S. (2006). Preliminary Item Statistics Using Point-Biserial Correlation and p-Values, Educational Data Systems Inc."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"993","DOI":"10.1109\/TSE.2014.2340398","article-title":"Predicting vulnerable software components via text mining","volume":"40","author":"Scandariato","year":"2014","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Kalouptsoglou, I., Siavvas, M., Kehagias, D., Chatzigeorgiou, A., and Ampatzoglou, A. (2021, January 25\u201326). An Empirical Evaluation of the Usefulness of Word Embedding Techniques in Deep Learning-based Vulnerability Prediction. Proceedings of the EuroCybersec2021, Lecture Notes in Communications in Computer and Information Science, Nice, France.","DOI":"10.1007\/978-3-031-09357-9_3"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Bagheri, A., and Heged\u0171s, P. (2021, January 8\u201311). A Comparison of Different Source Code Representation Methods for Vulnerability Prediction in Python. Proceedings of the International Conference on the Quality of Information and Communications Technology, Algarve, Portugal.","DOI":"10.1007\/978-3-030-85347-1_20"},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"150672","DOI":"10.1109\/ACCESS.2020.3016774","article-title":"Vulnerability prediction from source code using machine learning","volume":"8","author":"Bilgin","year":"2020","journal-title":"IEEE Access"},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"106576","DOI":"10.1016\/j.infsof.2021.106576","article-title":"BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection","volume":"136","author":"Cao","year":"2021","journal-title":"Inf. Softw. Technol."}],"container-title":["Entropy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1099-4300\/24\/5\/651\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T23:06:32Z","timestamp":1760137592000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1099-4300\/24\/5\/651"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,5,5]]},"references-count":33,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2022,5]]}},"alternative-id":["e24050651"],"URL":"https:\/\/doi.org\/10.3390\/e24050651","relation":{},"ISSN":["1099-4300"],"issn-type":[{"value":"1099-4300","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,5,5]]}}}