Ranking Warnings of Static Analysis Tools Using Representation Learning

Kien-Tuan Ngo, Dinh-Truong Do, Thu-Trang Nguyen, H. Vo
{"title":"Ranking Warnings of Static Analysis Tools Using Representation Learning","authors":"Kien-Tuan Ngo, Dinh-Truong Do, Thu-Trang Nguyen, H. Vo","doi":"10.1109/APSEC53868.2021.00040","DOIUrl":null,"url":null,"abstract":"Static analysis tools are frequently used to detect potential vulnerabilities in software systems. However, an inevitable problem of these tools is their large number of warnings with a high false positive rate, which consumes time and effort for investigating. In this paper, we present DEFP, a novel method for ranking static analysis warnings. Based on the intuition that warnings which have similar contexts tend to have similar labels (true positive or false positive), DEFP is built with two BiLSTM models to capture the patterns associated with the contexts of labeled warnings. After that, for a set of new warnings, DEFP can calculate and rank them according to their likelihoods to be true positives (i.e., actual vulnerabilities). Our experimental results on a dataset of 10 real-world projects show that using DEFP, by investigating only 60% of the warnings, developers can find +90% of actual vulnerabilities. Moreover, DEFP improves the state-of-the-art approach 30% in both Precision and Recall.","PeriodicalId":143800,"journal":{"name":"2021 28th Asia-Pacific Software Engineering Conference (APSEC)","volume":"57 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-10-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 28th Asia-Pacific Software Engineering Conference (APSEC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/APSEC53868.2021.00040","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 5

Abstract

Static analysis tools are frequently used to detect potential vulnerabilities in software systems. However, an inevitable problem of these tools is their large number of warnings with a high false positive rate, which consumes time and effort for investigating. In this paper, we present DEFP, a novel method for ranking static analysis warnings. Based on the intuition that warnings which have similar contexts tend to have similar labels (true positive or false positive), DEFP is built with two BiLSTM models to capture the patterns associated with the contexts of labeled warnings. After that, for a set of new warnings, DEFP can calculate and rank them according to their likelihoods to be true positives (i.e., actual vulnerabilities). Our experimental results on a dataset of 10 real-world projects show that using DEFP, by investigating only 60% of the warnings, developers can find +90% of actual vulnerabilities. Moreover, DEFP improves the state-of-the-art approach 30% in both Precision and Recall.
使用表示学习对静态分析工具的警告进行排序
静态分析工具经常用于检测软件系统中的潜在漏洞。然而,这些工具的一个不可避免的问题是它们的警告数量多,假阳性率高,这消耗了调查的时间和精力。本文提出了一种对静态分析警告进行排序的新方法——DEFP。基于具有相似上下文的警告倾向于具有相似标签(真阳性或假阳性)的直觉,DEFP使用两个BiLSTM模型构建,以捕获与标记警告的上下文相关的模式。之后,对于一组新的警告,DEFP可以根据它们成为真阳性(即实际漏洞)的可能性计算并对它们进行排序。我们在10个真实项目的数据集上的实验结果表明,使用DEFP,仅通过调查60%的警告,开发人员可以发现+90%的实际漏洞。此外,DEFP在准确率和召回率方面都提高了30%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信