Improving Vulnerability Inspection Efficiency Using Active Learning
Software engineers can find vulnerabilities with less effort if they are directed towards code that might contain more vulnerabilities. HARMLESS is an incremental support vector machine tool that builds a vulnerability prediction model from the source code inspected to date, then suggests what source code files should be inspected next. In this way, HARMLESS can reduce the time and effort required to achieve some desired level of recall for finding vulnerabilities. The tool also provides feedback on when to stop (at that desired level of recall) while at the same time, correcting human errors by double-checking suspicious files.
This paper evaluates HARMLESS on Mozilla Firefox vulnerability data. HARMLESS found 80, 90, 95, 99% of the vulnerabilities by inspecting 10, 16, 20, 34% of the source code files. When targeting 90, 95, 99% recall, HARMLESS could stop after inspecting 23, 30, 47% of the source code files. Even when human reviewers fail to identify half of the vulnerabilities (50% false negative rate), HARMLESS could detect 96% of the missing vulnerabilities by double-checking half of the inspected files.
Wed 8 Jul Times are displayed in time zone: (UTC) Coordinated Universal Time change
|15:00 - 15:08|
|15:08 - 15:16|
Gema Rodríguez-PérezUniversity of Waterloo, Canada, Gregorio RoblesUniversidad Rey Juan Carlos, Alexander SerebrenikEindhoven University of Technology, Andy ZaidmanTU Delft, Daniel M. GermanUniversity of Victoria, Jesus M. Gonzalez-BarahonaUniversidad Rey Juan CarlosDOI Pre-print
|15:16 - 15:24|
|15:24 - 15:36|
|15:36 - 15:48|
|15:48 - 15:56|
Impact of Discretization Noise of the Dependent variable on Machine Learning Classifiers in Software EngineeringJ1