False Positive Analysis of Software Vulnerabilities Using Machine Learning

Abstract

Dynamic Application Security Testing is conducted with the help of automated tools that have built-in scanners which automatically crawl all the webpages of the application and report security vulnerabilities based on certain set of pre-defined scan rules. Such pre-defined rules cannot fully determine the accuracy of a vulnerability and very often one needs to manually validate these results to remove the false positives. Eliminating false positives from such results can be a quite painful and laborious task. This article proposes an approach of eliminating false positives by using machine learning . Based on the historic data available on false positives, suitable machine learning models are deployed to predict if the reported defect is a real vulnerability or a false positive