A comprehensive analysis on software vulnerability detection datasets: trends, challenges, and road ahead

IF 2.4 4区计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

International Journal of Information Security Pub Date : 2024-07-23 DOI:10.1007/s10207-024-00888-y

Yuejun Guo, Seifeddine Bettaieb, Fran Casino

{"title":"A comprehensive analysis on software vulnerability detection datasets: trends, challenges, and road ahead","authors":"Yuejun Guo, Seifeddine Bettaieb, Fran Casino","doi":"10.1007/s10207-024-00888-y","DOIUrl":null,"url":null,"abstract":"<p>As society’s dependence on information and communication systems (ICTs) grows, so does the necessity of guaranteeing the proper functioning and use of such systems. In this context, it is critical to enhance the security and robustness of the DevSecOps pipeline through timely vulnerability detection. Usually, AI-based models enable desirable features such as automation, performance, and efficacy. However, the quality of such models highly depends on the datasets used during the training stage. The latter encompasses a series of challenges yet to be solved, such as access to extensive labelled datasets with specific properties, such as well-represented and balanced samples. This article explores the current state of practice of software vulnerability datasets and provides a classification of the main challenges and issues. After an extensive analysis, it describes a set of guidelines and desirable features that datasets should guarantee. The latter is applied to create a new dataset, which fulfils these properties, along with a descriptive comparison with the state of the art. Finally, a discussion on how to foster good practices among researchers and practitioners sets the ground for further research and continued improvement within this critical domain.</p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"17 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-07-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00888-y","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

As society’s dependence on information and communication systems (ICTs) grows, so does the necessity of guaranteeing the proper functioning and use of such systems. In this context, it is critical to enhance the security and robustness of the DevSecOps pipeline through timely vulnerability detection. Usually, AI-based models enable desirable features such as automation, performance, and efficacy. However, the quality of such models highly depends on the datasets used during the training stage. The latter encompasses a series of challenges yet to be solved, such as access to extensive labelled datasets with specific properties, such as well-represented and balanced samples. This article explores the current state of practice of software vulnerability datasets and provides a classification of the main challenges and issues. After an extensive analysis, it describes a set of guidelines and desirable features that datasets should guarantee. The latter is applied to create a new dataset, which fulfils these properties, along with a descriptive comparison with the state of the art. Finally, a discussion on how to foster good practices among researchers and practitioners sets the ground for further research and continued improvement within this critical domain.

Abstract Image

查看原文本刊更多论文

软件漏洞检测数据集综合分析：趋势、挑战和未来之路

随着社会对信息和通信系统（ICTs）的依赖性不断增加，保证此类系统正常运行和使用的必要性也在增加。在这种情况下，通过及时发现漏洞来提高 DevSecOps 管道的安全性和稳健性至关重要。通常，基于人工智能的模型可以实现自动化、性能和功效等理想功能。然而，此类模型的质量在很大程度上取决于训练阶段使用的数据集。后者包括一系列尚待解决的挑战，如获取具有特定属性的广泛标记数据集，如代表性强且均衡的样本。本文探讨了软件漏洞数据集的实践现状，并对主要挑战和问题进行了分类。经过广泛的分析，文章描述了一套数据集应保证的准则和理想特性。后者被用于创建一个符合这些特性的新数据集，并与现有技术进行了描述性比较。最后，讨论了如何在研究人员和从业人员中推广良好做法，为这一关键领域的进一步研究和持续改进奠定了基础。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Information Security 工程技术-计算机：理论方法

CiteScore

6.30

自引率

3.10%

发文量

审稿时长

12 months

期刊介绍： The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation. Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.