Machine Learning to Combine Static Analysis Alerts with Software Metrics to Detect Security Vulnerabilities: An Empirical Study

Pereira, Jose D'Abruzzo; Campos, Joao R.; Vieira, Marco

doi:10.1109/edcc53658.2021.00008

Cited by 6 publications

(4 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The quality of the selected features greatly affects the performance of the final ML model [23]. Inspired by Pereira et al [63], we use 25 function-level ML features that can semantically be grouped into software metric-and SAST-based feature classes. We thereby focused to compile a set of lightweight features that can be easily extracted from the source code using freely available tools, or already exist as test artifacts (e.g., are generated whenever a software change is committed), yet are indicative enough to reliably predict vulnerable code.…”

Section: Featurementioning

confidence: 99%

“…• Number of lines in a function flagged as potentially vulnerable by CodeChecker, CodeQL, Cppcheck, Flawfinder, Infer, and AddressSanitizer (both absolute and relative to LoC) • Number of lines in a function flagged as potentially vulnerable by all SAST-tools (with/without ASAN; both absolute and relative to LoC) Pereira et al [63] employed in their work similar features to those above. Moreover, they show that using them in combination with software metrics leads to better prediction of vulnerable files than using only one of the two feature classes.…”

Section: • Number Of Incoming Calls Of a Function (Both Absolute And ...mentioning

confidence: 99%

“…Pereira et al [63] also employed software metrics and SAST-tool findings for binary (and multi-class) vulnerability prediction. For binary classification, they showed that using both, SAST-based and software metric features, results in higher detection rates than using only one of the two feature classes.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Green Fuzzing: A Saturation-Based Stopping Criterion using Vulnerability Prediction

Lipp¹,

Elsner²,

Kacianka³

et al. 2023

Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

Fuzzing is a widely used automated testing technique that uses random inputs to provoke program crashes indicating security breaches. A difficult but important question is when to stop a fuzzing campaign. Usually, a campaign is terminated when the number of crashes and/or covered code elements has not increased over a certain period of time. To avoid premature termination when a ramp-up time is needed before vulnerabilities are reached, code coverage is often preferred over crash count to decide when to terminate a campaign. However, a campaign might only increase the coverage on non-security-critical code or repeatedly trigger the same crashes. For these reasons, both code coverage and crash count tend to overestimate the fuzzing effectiveness, unnecessarily increasing the duration and thus the cost of the testing process.The present paper explores the tradeoff between the amount of saved fuzzing time and number of missed bugs when stopping campaigns based on the saturation of covered, potentially vulnerable functions rather than triggered crashes or regular function coverage. In a large-scale empirical evaluation of 30 open-source C programs with a total of 240 security bugs and 1,280 fuzzing campaigns, we first show that binary classification models trained on software with known vulnerabilities (CVEs), using lightweight machine learning features derived from findings of static application security testing tools and proven software metrics, can reliably predict (potentially) vulnerable functions. Second, we show that our proposed stopping criterion terminates 24-hour fuzzing campaigns 6-12 hours earlier than the saturation of crashes and regular function coverage while missing (on average) fewer than 0.5 out of 12.5 contained bugs. CCS CONCEPTS• Security and privacy → Software security engineering.

show abstract

Section: Featurementioning

confidence: 99%

Section: • Number Of Incoming Calls Of a Function (Both Absolute And ...mentioning

confidence: 99%

See 1 more Smart Citation

Green Fuzzing: A Saturation-Based Stopping Criterion using Vulnerability Prediction

Lipp¹,

Elsner²,

Kacianka³

et al. 2023

Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

show abstract

“…There is a sufficient number of methodological approaches and methods for the analysis of MC [ 9 , 10 , 11 ]. However, the primary task is to determine the architecture of the processor (hereinafter–Architecture), for execution on which this MC is intended [ 12 , 13 , 14 ].…”

Section: Introductionmentioning

confidence: 99%

Analytical Modeling for Identification of the Machine Code Architecture of Cyberphysical Devices in Smart Homes

Kotenko

Izrailov

Buinevich

2022

Sensors

View full text Add to dashboard Cite

Ensuring the security of modern cyberphysical devices is the most important task of the modern world. The reason for this is that such devices can cause not only informational, but also physical damage. One of the approaches to solving the problem is the static analysis of the machine code of the firmware of such devices. The situation becomes more complicated in the case of a Smart Home, since its devices can have different processor architectures (means instruction sets). In the case of cyberphysical devices of the Smart Home, the destruction of machine code due to physical influences is also possible. Therefore, the first step is to correctly identify the processor architecture. In the interests of this, a machine code model is proposed that has a formal notation and takes into account the possibility of code destruction. The article describes the full cycle of research (including experiment) in order to obtain this model. The model is based on byte-frequency machine code signatures. The experiment resulted in obtaining template signatures for the Top-16 processor architectures: Alpha, X32, Amd64, Arm64, Hppa64, I486, I686, Ia64, Mips, Mips64, Ppc, Ppc64, RiscV64, S390, S390x and Sparc64.

show abstract

A Dataset of Linux Failure Data for Dependability Evaluation and Improvement

Campos

Costa

Vieira

2022

2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W)

View full text Add to dashboard Cite

Machine Learning to Combine Static Analysis Alerts with Software Metrics to Detect Security Vulnerabilities: An Empirical Study

Cited by 6 publications

References 18 publications

Green Fuzzing: A Saturation-Based Stopping Criterion using Vulnerability Prediction

Green Fuzzing: A Saturation-Based Stopping Criterion using Vulnerability Prediction

Analytical Modeling for Identification of the Machine Code Architecture of Cyberphysical Devices in Smart Homes

A Dataset of Linux Failure Data for Dependability Evaluation and Improvement

Contact Info

Product

Resources

About