When Do Changes Induce Software Vulnerabilities?

2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC) Pub Date : 2017-10-01 DOI:10.1109/CIC.2017.00020

Manar Alohaly, Hassan Takabi

{"title":"When Do Changes Induce Software Vulnerabilities?","authors":"Manar Alohaly, Hassan Takabi","doi":"10.1109/CIC.2017.00020","DOIUrl":null,"url":null,"abstract":"Version control systems (VCSs) have almost become the de facto standard for the management of open-source projects and the development of their source code. In VCSs, source code which can potentially be vulnerable is introduced to a system through what are so called commits. Vulnerable commits force the system into an insecure state. The farreaching impact of vulnerabilities attests to the importance of identifying and understanding the characteristics of prior vulnerable changes (or commits), in order to detect future similar ones. The concept of change classification was previously studied in the literature of bug detection to identify commits with defects. In this paper, we borrow the notion of change classification from the literature of defect detection to further investigate its applicability to vulnerability detection problem using semi-supervised learning. In addition, we also experiment with new vulnerability predictors, and compare the predictive power of our proposed features with vulnerability prediction techniques based on text mining. The experimental results show that our semi-supervised approach holds promise in improving change classification effectiveness by leveraging unlabeled data.","PeriodicalId":156843,"journal":{"name":"2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CIC.2017.00020","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

Abstract

Version control systems (VCSs) have almost become the de facto standard for the management of open-source projects and the development of their source code. In VCSs, source code which can potentially be vulnerable is introduced to a system through what are so called commits. Vulnerable commits force the system into an insecure state. The farreaching impact of vulnerabilities attests to the importance of identifying and understanding the characteristics of prior vulnerable changes (or commits), in order to detect future similar ones. The concept of change classification was previously studied in the literature of bug detection to identify commits with defects. In this paper, we borrow the notion of change classification from the literature of defect detection to further investigate its applicability to vulnerability detection problem using semi-supervised learning. In addition, we also experiment with new vulnerability predictors, and compare the predictive power of our proposed features with vulnerability prediction techniques based on text mining. The experimental results show that our semi-supervised approach holds promise in improving change classification effectiveness by leveraging unlabeled data.

查看原文本刊更多论文

什么时候改变会导致软件漏洞?

版本控制系统(vcs)几乎已经成为开源项目管理及其源代码开发的事实上的标准。在vcs中，可能存在潜在漏洞的源代码通过所谓的提交被引入到系统中。易受攻击的提交迫使系统进入不安全状态。漏洞的深远影响证明了识别和理解先前易受攻击的更改(或提交)的特征的重要性，以便检测未来类似的更改。变更分类的概念以前在bug检测的文献中被研究过，用于识别带有缺陷的提交。本文借用缺陷检测文献中的变化分类概念，利用半监督学习进一步研究其在漏洞检测问题中的适用性。此外，我们还实验了新的漏洞预测器，并将我们提出的特征的预测能力与基于文本挖掘的漏洞预测技术进行了比较。实验结果表明，我们的半监督方法有望通过利用未标记数据来提高变化分类的有效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE 3rd International Conference on Collaboration and Internet Computing (CIC)

自引率

0.00%

发文量