Improving Vulnerability Inspection Efficiency Using Active LearningJ1
Software engineers can find vulnerabilities with less effort if they are directed towards code that might contain more vulnerabilities. HARMLESS is an incremental support vector machine tool that builds a vulnerability prediction model from the source code inspected to date, then suggests what source code files should be inspected next. In this way, HARMLESS can reduce the time and effort required to achieve some desired level of recall for finding vulnerabilities. The tool also provides feedback on when to stop (at that desired level of recall) while at the same time, correcting human errors by double-checking suspicious files.
This paper evaluates HARMLESS on Mozilla Firefox vulnerability data. HARMLESS found 80, 90, 95, 99% of the vulnerabilities by inspecting 10, 16, 20, 34% of the source code files. When targeting 90, 95, 99% recall, HARMLESS could stop after inspecting 23, 30, 47% of the source code files. Even when human reviewers fail to identify half of the vulnerabilities (50% false negative rate), HARMLESS could detect 96% of the missing vulnerabilities by double-checking half of the inspected files.
Wed 8 JulDisplayed time zone: (UTC) Coordinated Universal Time change
15:00 - 16:00 | A8-Machine Learning and ModelsJournal First / Technical Papers at Goguryeo Chair(s): Liliana Pasquale University College Dublin & Lero | ||
15:00 8mTalk | Improving Vulnerability Inspection Efficiency Using Active LearningJ1 Journal First Zhe Yu NORTH CAROLINA STATE UNIVERSITY, Chris Theisen Microsoft, Laurie Williams North Carolina State University, Tim Menzies North Carolina State University | ||
15:08 8mTalk | How Bugs Are Born: A Model to Identify How Bugs Are Introduced in Software ComponentsJ1 Journal First Gema Rodríguez-Pérez University of Waterloo, Canada, Gregorio Robles Universidad Rey Juan Carlos, Alexander Serebrenik Eindhoven University of Technology, Andy Zaidman TU Delft, Daniel M. German University of Victoria, Jesus M. Gonzalez-Barahona Universidad Rey Juan Carlos DOI Pre-print | ||
15:16 8mTalk | How to “DODGE” Complex Software AnalyticsJ1 Journal First Amritanshu Agrawal Wayfair, Wei Fu Landing AI, Di Chen North Carolina State University, USA, Xipeng Shen North Carolina State University, Tim Menzies North Carolina State University | ||
15:24 12mTalk | Importance-Driven Deep Learning System TestingTechnical Technical Papers Simos Gerasimou University of York, UK, Hasan Ferit Eniser MPI-SWS, Alper Sen Bogazici University, Turkey, Alper Çakan Bogazici University, Turkey | ||
15:36 12mTalk | Quickly Generating Diverse Valid Test Inputs with Reinforcement Learning Technical Papers Sameer Reddy University of California, Berkeley, Caroline Lemieux University of California, Berkeley, Rohan Padhye Carnegie Mellon University, Koushik Sen University of California, Berkeley | ||
15:48 8mTalk | Impact of Discretization Noise of the Dependent variable on Machine Learning Classifiers in Software EngineeringJ1 Journal First Gopi Krishnan Rajbahadur Queen's University, Shaowei Wang Mississippi State University, Yasutaka Kamei Kyushu University, Ahmed E. Hassan Queen's University | ||