Mining Bug Databases for Unidentified Software Vulnerabilities

2012 5th International Conference on Human System Interactions Pub Date : 2012-06-06 DOI:10.1109/HSI.2012.22

Dumidu Wijayasekara, M. Manic, Jason L. Wright, M. McQueen

{"title":"Mining Bug Databases for Unidentified Software Vulnerabilities","authors":"Dumidu Wijayasekara, M. Manic, Jason L. Wright, M. McQueen","doi":"10.1109/HSI.2012.22","DOIUrl":null,"url":null,"abstract":"Identifying software vulnerabilities is becoming more important as critical and sensitive systems increasingly rely on complex software systems. It has been suggested in previous work that some bugs are only identified as vulnerabilities long after the bug has been made public. These vulnerabilities are known as hidden impact vulnerabilities. This paper discusses existing bug data mining classifiers and present an analysis of vulnerability databases showing the necessity to mine common publicly available bug databases for hidden impact vulnerabilities. We present a vulnerability analysis from January 2006 to April 2011 for two well known software packages: Linux kernel and MySQL. We show that 32% (Linux) and 62% (MySQL) of vulnerabilities discovered in this time period were hidden impact vulnerabilities. We also show that the percentage of hidden impact vulnerabilities has increased from 25% to 36% in Linux and from 59% to 65% in MySQL in the last two years. We then propose a hidden impact vulnerability identification methodology based on text mining classifier for bug databases. Finally, we discuss potential challenges faced by a development team when using such a classifier.","PeriodicalId":222377,"journal":{"name":"2012 5th International Conference on Human System Interactions","volume":"520 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2012-06-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"61","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 5th International Conference on Human System Interactions","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HSI.2012.22","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 61

Abstract

Identifying software vulnerabilities is becoming more important as critical and sensitive systems increasingly rely on complex software systems. It has been suggested in previous work that some bugs are only identified as vulnerabilities long after the bug has been made public. These vulnerabilities are known as hidden impact vulnerabilities. This paper discusses existing bug data mining classifiers and present an analysis of vulnerability databases showing the necessity to mine common publicly available bug databases for hidden impact vulnerabilities. We present a vulnerability analysis from January 2006 to April 2011 for two well known software packages: Linux kernel and MySQL. We show that 32% (Linux) and 62% (MySQL) of vulnerabilities discovered in this time period were hidden impact vulnerabilities. We also show that the percentage of hidden impact vulnerabilities has increased from 25% to 36% in Linux and from 59% to 65% in MySQL in the last two years. We then propose a hidden impact vulnerability identification methodology based on text mining classifier for bug databases. Finally, we discuss potential challenges faced by a development team when using such a classifier.

查看原文本刊更多论文

挖掘未识别软件漏洞的Bug数据库

随着关键和敏感系统越来越依赖于复杂的软件系统，识别软件漏洞变得越来越重要。在之前的工作中已经提出，有些bug在被公开很久之后才被识别为漏洞。这些漏洞被称为隐藏的影响漏洞。本文讨论了现有的漏洞数据挖掘分类器，并对漏洞数据库进行了分析，表明了挖掘公共漏洞数据库以隐藏影响漏洞的必要性。我们从2006年1月到2011年4月对两个著名的软件包:Linux内核和MySQL进行了漏洞分析。我们发现，在这段时间内发现的32% (Linux)和62% (MySQL)的漏洞是隐藏的影响漏洞。我们还显示，在过去两年中，Linux中隐藏影响漏洞的百分比从25%增加到36%，MySQL从59%增加到65%。在此基础上，提出了一种基于文本挖掘分类器的漏洞隐藏影响漏洞识别方法。最后，我们讨论了开发团队在使用这种分类器时面临的潜在挑战。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2012 5th International Conference on Human System Interactions

自引率

0.00%

发文量