Challenges with applying vulnerability prediction models

Proceedings of the 2015 Symposium and Bootcamp on the Science of Security Pub Date : 2015-04-21 DOI:10.1145/2746194.2746198

P. Morrison, Kim Herzig, Brendan Murphy, L. Williams

{"title":"Challenges with applying vulnerability prediction models","authors":"P. Morrison, Kim Herzig, Brendan Murphy, L. Williams","doi":"10.1145/2746194.2746198","DOIUrl":null,"url":null,"abstract":"Vulnerability prediction models (VPM) are believed to hold promise for providing software engineers guidance on where to prioritize precious verification resources to search for vulnerabilities. However, while Microsoft product teams have adopted defect prediction models, they have not adopted vulnerability prediction models (VPMs). The goal of this research is to measure whether vulnerability prediction models built using standard recommendations perform well enough to provide actionable results for engineering resource allocation. We define 'actionable' in terms of the inspection effort required to evaluate model results. We replicated a VPM for two releases of the Windows Operating System, varying model granularity and statistical learners. We reproduced binary-level prediction precision (~0.75) and recall (~0.2). However, binaries often exceed 1 million lines of code, too large to practically inspect, and engineers expressed preference for source file level predictions. Our source file level models yield precision below 0.5 and recall below 0.2. We suggest that VPMs must be refined to achieve actionable performance, possibly through security-specific metrics.","PeriodicalId":134331,"journal":{"name":"Proceedings of the 2015 Symposium and Bootcamp on the Science of Security","volume":"36 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-04-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"99","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2015 Symposium and Bootcamp on the Science of Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2746194.2746198","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 99

Abstract

Vulnerability prediction models (VPM) are believed to hold promise for providing software engineers guidance on where to prioritize precious verification resources to search for vulnerabilities. However, while Microsoft product teams have adopted defect prediction models, they have not adopted vulnerability prediction models (VPMs). The goal of this research is to measure whether vulnerability prediction models built using standard recommendations perform well enough to provide actionable results for engineering resource allocation. We define 'actionable' in terms of the inspection effort required to evaluate model results. We replicated a VPM for two releases of the Windows Operating System, varying model granularity and statistical learners. We reproduced binary-level prediction precision (~0.75) and recall (~0.2). However, binaries often exceed 1 million lines of code, too large to practically inspect, and engineers expressed preference for source file level predictions. Our source file level models yield precision below 0.5 and recall below 0.2. We suggest that VPMs must be refined to achieve actionable performance, possibly through security-specific metrics.

查看原文本刊更多论文

应用漏洞预测模型的挑战

漏洞预测模型(VPM)被认为有希望为软件工程师提供指导，指导他们在哪里优先考虑宝贵的验证资源来搜索漏洞。然而，虽然微软产品团队采用了缺陷预测模型，但他们还没有采用漏洞预测模型(VPMs)。本研究的目的是衡量使用标准建议建立的脆弱性预测模型是否能够很好地为工程资源分配提供可操作的结果。我们根据评估模型结果所需的检查工作来定义“可操作的”。我们为两个版本的Windows操作系统复制了一个VPM，不同的模型粒度和统计学习器。我们重现了二值水平的预测精度(~0.75)和召回率(~0.2)。然而，二进制代码通常超过100万行，太大而无法实际检查，工程师们表示更倾向于源文件级别的预测。我们的源文件级模型的精度低于0.5，召回率低于0.2。我们建议必须改进vpm以实现可操作的性能，可能是通过特定于安全的度量。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2015 Symposium and Bootcamp on the Science of Security

自引率

0.00%

发文量