Qiuyuan Chen,Lingfeng Bao,Li Li,Xin Xia,Liang Cai

DOI: https://doi.org/10.1109/APSEC.2018.00049

2018-01-01

Abstract:To share vulnerability information across separate databases, tools, and services, newly identified vulnerabilities are recurrently reported to Common Vulnerabilities and Exposures (CVE) database.Unfortunately, not all vulnerability reports will be accepted. Some of them might get rejected or be accepted with disputations.In this work, we refer to those rejected or disputed CVEs as invalid vulnerability reports. Invalid vulnerability reports not only cause unnecessary efforts to confirm the vulnerability but also impact the reputation of the software vendors. In this paper, we aim to understand the root causes of invalid vulnerability reports and build a prediction model to automatically identify them.To this end, we first leverage card sorting to categorize invalid vulnerability reports, from which six main reasons are observed for rejected and disputed CVEs, respectively.Then, we propose a text mining approach to predict the invalid vulnerability reports. Our experiments reveal that the proposed text mining approach can achieve an AUC score of 0.87 for predicting invalid vulnerabilities. We also discuss the implications of our study: our categorization can be used to guide new committer to avoid these traps; some root causes of invalid CVEs can be avoided by using automatic techniques or optimizing reviewing mechanism; invalid vulnerability reports data should not be neglected.

Gong Jie,Kuang Xiao-hui,Liu Qiang

DOI: https://doi.org/10.1109/dsc.2016.33

2016-01-01

Abstract:With the increasingly rich of vulnerability related data and the extensive application of machine learning methods, software vulnerability analysis methods based on machine learning is becoming an important research area of information security. In this paper, the up-to-date and well-known works in this research area were analyzed deeply. A framework for software vulnerability analysis based on machine learning was proposed. And the existing works were described and compared, the limitations of these works were discussed. The future research directions on software vulnerability analysis based on machine learning were put forward in the end.

Yun Zhang,David Lo,Xin Xia,Bowen Xu,Jianling Sun,Shanping Li

DOI: https://doi.org/10.1109/ICECCS.2015.15

2015-01-01

Abstract:In recent years, to help developers reduce time and effort required to build highly secure software, a number of prediction models which are built on different kinds of features have been proposed to identify vulnerable source code files. In this paper, we propose a novel approach VULPREDICTOR to predict vulnerable files, it analyzes software metrics and text mining together to build a composite prediction model. VULPREDICTOR first builds 6 underlying classifiers on a training set of vulnerable and non-vulnerable files represented by their software metrics and text features, and then constructs a meta classifier to process the outputs of the 6 underlying classifiers. We evaluate our solution on datasets from three web applications including Drupal, PHPMyAdmin and Moodle which contain a total of 3,466 files and 223 vulnerabilities. The experiment results show that VULPREDICTOR can achieve F1 and EffectivenessRatio@20% scores of up to 0.683 and 75%, respectively. On average across the 3 projects, VULPREDICTOR improves the F1 and EffectivenessRatio@20% scores of the best performing state-of-the-art approaches proposed by Walden et al. by 46.53% and 14.93%, respectively.

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Esma Mouine,Yan Liu,Lu Xiao,Rick Kazman,Xiao Wang

2024-06-06

Abstract:There is an increasing trend to mine vulnerabilities from software repositories and use machine learning techniques to automatically detect software vulnerabilities. A fundamental but unresolved research question is: how do different factors in the mining and learning process impact the accuracy of identifying vulnerabilities in software projects of varying characteristics? Substantial research has been dedicated in this area, including source code static analysis, software repository mining, and NLP-based machine learning. However, practitioners lack experience regarding the key factors for building a baseline model of the state-of-the-art. In addition, there lacks of experience regarding the transferability of the vulnerability signatures from project to project. This study investigates how the combination of different vulnerability features and three representative machine learning models impact the accuracy of vulnerability detection in 17 real-world projects. We examine two types of vulnerability representations: 1) code features extracted through NLP with varying tokenization strategies and three different embedding techniques (bag-of-words, word2vec, and fastText) and 2) a set of eight architectural metrics that capture the abstract design of the software systems. The three machine learning algorithms include a random forest model, a support vector machines model, and a residual neural network model. The analysis shows a recommended baseline model with signatures extracted through bag-of-words embedding, combined with the random forest, consistently increases the detection accuracy by about 4% compared to other combinations in all 17 projects. Furthermore, we observe the limitation of transferring vulnerability signatures across domains based on our experiments.

Software Engineering,Artificial Intelligence

Nima Shiri Harzevili,Alvine Boaye Belle,Junjie Wang,Song Wang,Zhen Ming,Jiang,Nachiappan Nagappan

2023-06-21

Abstract:Software vulnerability detection is critical in software security because it identifies potential bugs in software systems, enabling immediate remediation and mitigation measures to be implemented before they may be exploited. Automatic vulnerability identification is important because it can evaluate large codebases more efficiently than manual code auditing. Many Machine Learning (ML) and Deep Learning (DL) based models for detecting vulnerabilities in source code have been presented in recent years. However, a survey that summarises, classifies, and analyses the application of ML/DL models for vulnerability detection is missing. It may be difficult to discover gaps in existing research and potential for future improvement without a comprehensive survey. This could result in essential areas of research being overlooked or under-represented, leading to a skewed understanding of the state of the art in vulnerability detection. This work address that gap by presenting a systematic survey to characterize various features of ML/DL-based source code level software vulnerability detection approaches via five primary research questions (RQs). Specifically, our RQ1 examines the trend of publications that leverage ML/DL for vulnerability detection, including the evolution of research and the distribution of publication venues. RQ2 describes vulnerability datasets used by existing ML/DL-based models, including their sources, types, and representations, as well as analyses of the embedding techniques used by these approaches. RQ3 explores the model architectures and design assumptions of ML/DL-based vulnerability detection approaches. RQ4 summarises the type and frequency of vulnerabilities that are covered by existing studies. Lastly, RQ5 presents a list of current challenges to be researched and an outline of a potential research roadmap that highlights crucial opportunities for future work.

Software Engineering

毛勇,周晓波,夏铮,尹征,孙优贤

DOI: https://doi.org/10.3969/j.issn.1003-6059.2007.02.012

2007-01-01

Pattern Recognition and Artificial Intelligence

Abstract:Feature selection is a hot topic in current information science,especially in the field of pattern recognition.In this paper,feature selection algorithms are classified from different points of view.Several embranchments of feature selection and the development situation are introduced. Some difficulties in the theoretic analysis and application are involved.From a practicality angle, using support vector machine to select features is considered as the research direction in machine learning.

Xinbo Ban,Shigang Liu,Chao Chen,Caslon Chua

DOI: https://doi.org/10.1002/cpe.5103

2018-12-18

Concurrency and Computation: Practice and Experience

Abstract:Software vulnerability is a critical issue in the realm of cyber security. In terms of techniques, machine learning (ML) has been successfully used in many real‐world problems such as software vulnerability detection, malware detection and function recognition, for high‐quality feature representation learning. In this paper, we propose a performance evaluation study on ML based solutions for software vulnerability detection, conducting three experiments: machine learning‐based techniques for software vulnerability detection based on the scenario of single type of vulnerability and multiple types of vulnerabilities per dataset; machine learning‐based techniques for cross‐project software vulnerability detection; and software vulnerability detection when facing the class imbalance problem with varying imbalance ratios. Experimental results show that it is possible to employ software vulnerability detection based on ML techniques. However, ML‐based techniques suffer poor performance on both cross‐project and class imbalance problem in software vulnerability detection.

Wei Zheng,Jialiang Gao,Xiaoxue Wu,Fengyu Liu,Yuxing Xun,Guoliang Liu,Xiang Chen

DOI: https://doi.org/10.1016/j.jss.2020.110659

IF: 3.5

2020-10-01

Journal of Systems and Software

Abstract:<p>Machine learning-based Vulnerability detection is an active research topic in software security. Different traditional machine learning-based and deep learning-based vulnerability detection methods have been proposed. To our best knowledge, we are the first to identify four impact factors and conduct a comparative study to investigate the performance influence of these factors. In particular, the quality of datasets, classification models and vectorization methods can directly affect the detection performance, in contrast function/variable name replacement can affect the features of vulnerability detection and indirectly affect the performance. We collect three different vulnerability code datasets from two various sources (i.e., NVD and SARD). These datasets can correspond to different types of vulnerabilities. Moreover, we extract and analyze the features of vulnerability code datasets to explain some experimental results. Our findings based on the experimental results can be summarized as follows: (1) Deep learning models can achieve better performance than traditional machine learning models. Of all the models, BLSTM can achieve the best performance. (2) CountVectorizer can significantly improve the performance of traditional machine learning models. (3) Features generated by the random forest algorithm include system-related functions, syntax keywords, and user-defined names. Different vulnerability types and code sources will generate different features. (4) Datasets with user-defined variable and function name replacement will decrease the performance of vulnerability detection. (5) As the proportion of code from SARD increases, the performance of vulnerability detection will increase.</p>

computer science, theory & methods, software engineering

Napier, Kollin,Wang, Shaowei

DOI: https://doi.org/10.1007/s10664-022-10276-6

IF: 3.762

2023-02-04

Empirical Software Engineering

Abstract:With an increase in complexity and severity, it is becoming harder to identify and mitigate vulnerabilities. Although traditional tools remain useful, machine learning models are being adopted to expand efforts. To help explore methods of vulnerability detection, we present an empirical study on the effectiveness of text-based machine learning models by utilizing 344 open-source projects, 2,182 vulnerabilities and 38 vulnerability types. With the availability of vulnerabilities being presented in forms such as code snippets, we construct a methodology based on extracted source code functions and create equal pairings. We conduct experiments using seven machine learning models, five natural language processing techniques and three data processing methods. First, we present results based on full context function pairings. Next, we introduce condensed functions and conduct a statistical analysis to determine if there is a significant difference between the models, techniques, or methods. Based on these results, we answer research questions regarding model prediction for testing within and across projects and vulnerability types. Our results show that condensed functions with fewer features may achieve greater prediction results when testing within rather than across. Overall, we conclude that text-based machine learning models are not effective in detecting vulnerabilities within or across projects and vulnerability types.

computer science, software engineering

Georgios Spanos,Lefteris Angelis

DOI: https://doi.org/10.1016/j.jss.2018.09.039

IF: 3.5

2018-12-01

Journal of Systems and Software

Abstract:Software vulnerabilities constitute a great risk for the IT community. The specification of the vulnerability characteristics is a crucial procedure, since the characteristics are used as input for a plethora of vulnerability scoring systems. Currently, the determination of the specific characteristics -that represent each vulnerability- is a process that is performed manually by the IT security experts. However, the vulnerability description can be very informative and useful to predict vulnerability characteristics. The primary goal of this research is the enhancement, the acceleration and the support of the manual procedure of the vulnerability characteristic assignment. To achieve this goal, a model, which combines texts analysis and multi-target classification techniques was developed. This model estimates the vulnerability characteristics and subsequently, calculates the vulnerability severity scores from the predicted characteristics. To perform the present research, a dataset that contains 99,091 records from a large -publicly available- vulnerability database was used. The results are encouraging, since they show accuracy in the prediction of the vulnerability characteristics and scores.

computer science, theory & methods, software engineering

V. Yosifova,R. Trifonov,Antoniya Tasheva

DOI: https://doi.org/10.1109/ELECTRONICA52725.2021.9513723

2021-05-27

Abstract:Vulnerability type is not part of the standard CVE scheme so the ability to determine it only on the basis of text description would be a very useful for automated vulnerability handling. The growing number of hardware and software vulnerabilities discovered every year makes it more difficult for manual classification of the vulnerabilities types. This justifies the need for automatic machine learning classification. In this study we research the performance of base ML classifier algorithms, such as Linear Support Vector Classification, Naive Bayes, and Random Forest Classifier. To measure the performance of our classifiers, we use precision, recall, and f1-score evaluation metrics. Previous studies have focused on machine learning methods predicting platform vendor and products, vulnerability scoring, software vulnerabilities exploitation. Our study aims to show that machine learning is suitable for automated vulnerability type classification.

Computer Science

Benjamin L. Bullough,Anna K. Yanchenko,Christopher L. Smith,Joseph R. Zipkin

DOI: https://doi.org/10.1145/3041008.3041009

2017-07-25

Abstract:Each year, thousands of software vulnerabilities are discovered and reported to the public. Unpatched known vulnerabilities are a significant security risk. It is imperative that software vendors quickly provide patches once vulnerabilities are known and users quickly install those patches as soon as they are available. However, most vulnerabilities are never actually exploited. Since writing, testing, and installing software patches can involve considerable resources, it would be desirable to prioritize the remediation of vulnerabilities that are likely to be exploited. Several published research studies have reported moderate success in applying machine learning techniques to the task of predicting whether a vulnerability will be exploited. These approaches typically use features derived from vulnerability databases (such as the summary text describing the vulnerability) or social media posts that mention the vulnerability by name. However, these prior studies share multiple methodological shortcomings that inflate predictive power of these approaches. We replicate key portions of the prior work, compare their approaches, and show how selection of training and test data critically affect the estimated performance of predictive models. The results of this study point to important methodological considerations that should be taken into account so that results reflect real-world utility.

Cryptography and Security,Applications,Machine Learning

Zhen Li,Deqing Zou,Jing Tang,Zhihao Zhang,Mingqian Sun,Hai Jin

DOI: https://doi.org/10.1109/access.2019.2930578

IF: 3.9

2019-01-01

IEEE Access

Abstract:Source code static analysis has been widely used to detect vulnerabilities in the development of software products. The vulnerability patterns purely based on human experts are laborious and error prone, which has motivated the use of machine learning for vulnerability detection. In order to relieve human experts of defining vulnerability rules or features, a recent study shows the feasibility of leveraging deep learning to detect vulnerabilities automatically. However, the impact of different factors on the effectiveness of vulnerability detection is unknown. In this paper, we collect two datasets from the programs involving 126 types of vulnerabilities, on which we conduct the first comparative study to quantitatively evaluate the impact of different factors on the effectiveness of vulnerability detection. The experimental results show that accommodating control dependency can increase the overall effectiveness of vulnerability detection F1-measure by 20.3%; the imbalanced data processing methods are not effective for the dataset we create; bidirectional recurrent neural networks (RNNs) are more effective than unidirectional RNNs and convolutional neural network, which in turn are more effective than multi-layer perception; using the last output corresponding to the time step for the bidirectional long short-term memory (BLSTM) can reduce the false negative rate by 2.0% at the price of increasing the false positive rate by 0.5%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiang Li,Jinfu Chen,Zhechao Lin,Lin Zhang,Zibin Wang,Minmin Zhou,Wanggen Xie

DOI: https://doi.org/10.1109/cbd.2017.58

2017-08-01

Abstract:Software vulnerability remains a serious challenge to the software engineering domain over the past decade as a result of the recent technological advancement in information systems. The rapid development in software applications and failure on the part of system developers to properly analyze program codes before been released to the market increases the chance for data breaches. It is a known fact that most system failures are as a result of bugs and errors detected in software applications. Although code errors significantly affect software quality, there is no effective method that can be used in eliminating software errors to improve its reliability. Data Mining and its related algorithms are an active area which can successfully be applied in analyzing software vulnerability. However the concept of applying data mining techniques has not been empirically proven as an effective method for obtaining the essential characteristics of software vulnerability. To investigate this effect, we propose a vulnerability mining algorithm to analyze and obtain the essential characteristics of Software vulnerability based data mining techniques. We first extracted and preprocessed the software vulnerabilities using data mining techniques and common vulnerability database. We evaluate the proposed technique using the Common Vulnerability and Exposure (CVE) Database, Common Weakness Enumeration (CWE) Database, National Vulnerability Database (NVD) datasets. Empirical results show that the proposed vulnerability mining algorithm has a remarkable improvement in the vulnerability mining process. The most interesting finding is that, we observed that across all the three projects, recall was around 70% and precision was approximately 60%.

Aram Hovsepyan,Riccardo Scandariato,Wouter Joosen,James Walden

DOI: https://doi.org/10.1145/2372225.2372230

2012-01-01

Abstract:Early identification of software vulnerabilities is essential in software engineering and can help reduce not only costs, but also prevent loss of reputation and damaging litigations for a software firm. Techniques and tools for software vulnerability prediction are thus invaluable. Most of the existing techniques rely on using component characteristic(s) (like code complexity, code churn) for the vulnerability prediction. In this position paper, we present a novel approach for vulnerability prediction that leverages on the analysis of raw source code as text, instead of using &quot;cooked&quot; features. Our initial results seem to be very promising as the prediction model achieves an average accuracy of 0.87, precision of 0.85 and recall of 0.88 on 18 versions of a large mobile application.

Shuang Wu,Congyi Wang,Jianping Zeng,Chengrong Wu

DOI: https://doi.org/10.1109/asid50160.2020.9271730

2020-01-01

Abstract:Vulnerabilities have been widely exploited to launch various cyberattacks, and become one of the most popular network security problems. Several kinds of research on vulnerabilities have been carried out, such as, mining vulnerability, tracing vulnerability, forecasting vulnerability, and so on. Vulnerability forecasting models make the prediction of zero-day vulnerabilities possible, hence they can help us learn more about the number of vulnerabilities in future days and take defence measures in advance. However, most of these models stem from statistics, which cannot adapt to our application scenario very well. Unlike traditional statistical methods, we propose a vulnerability forecasting method based on multivariable LSTM and carry on experiments on the NVD data set. In comparison with ARIMA, our method perform better in number prediction of vulnerabilities.

Guanjun Lin,Sheng Wen,Qing-Long Han,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.1109/jproc.2020.2993293

IF: 20.6

2020-10-01

Proceedings of the IEEE

Abstract:The constantly increasing number of disclosed security vulnerabilities have become an important concern in the software industry and in the field of cybersecurity, suggesting that the current approaches for vulnerability detection demand further improvement. The booming of the open-source software community has made vast amounts of software code available, which allows machine learning and data mining techniques to exploit abundant patterns within software code. Particularly, the recent breakthrough application of deep learning to speech recognition and machine translation has demonstrated the great potential of neural models' capability of understanding natural languages. This has motivated researchers in the software engineering and cybersecurity communities to apply deep learning for learning and understanding vulnerable code patterns and semantics indicative of the characteristics of vulnerable code. In this survey, we review the current literature adopting deep-learning-/neural-network-based approaches for detecting software vulnerabilities, aiming at investigating how the state-of-the-art research leverages neural techniques for learning and understanding code semantics to facilitate vulnerability discovery. We also identify the challenges in this new field and share our views of potential research directions.

engineering, electrical & electronic

Chao Ni,Liyu Shen,Xiaodan Xu,Xin Yin,Shaohua Wang

2024-08-14

Abstract:Though many deep learning-based models have made great progress in vulnerability detection, we have no good understanding of these models, which limits the further advancement of model capability, understanding of the mechanism of model detection, and efficiency and safety of practical application of models. In this paper, we extensively and comprehensively investigate two types of state-of-the-art learning-based approaches (sequence-based and graph-based) by conducting experiments on a recently built large-scale dataset. We investigate seven research questions from five dimensions, namely model capabilities, model interpretation, model stability, ease of use of model, and model economy. We experimentally demonstrate the priority of sequence-based models and the limited abilities of both LLM (ChatGPT) and graph-based models. We explore the types of vulnerability that learning-based models skilled in and reveal the instability of the models though the input is subtlely semantical-equivalently changed. We empirically explain what the models have learned. We summarize the pre-processing as well as requirements for easily using the models. Finally, we initially induce the vital information for economically and safely practical usage of these models.

Software Engineering,Cryptography and Security,Machine Learning