Computers & Security, Journal Year: 2024, Volume and Issue: 148, P. 104113 - 104113
Published: Sept. 14, 2024
Language: Английский
ACM Transactions on Software Engineering and Methodology, Journal Year: 2024, Volume and Issue: 33(6), P. 1 - 41
Published: March 27, 2024
With the rate of discovered and disclosed vulnerabilities escalating, researchers have been experimenting with machine learning to predict whether a vulnerability will be exploited. Existing solutions leverage information unavailable when CVE is created, making them unsuitable just after disclosure. This paper experiments early exploitability prediction models driven exclusively by initial record, i.e., original description linked online discussions. Leveraging NVD Exploit Database, we evaluate 72 trained using six traditional classifiers, four feature representation schemas, three data balancing algorithms. We also experiment five pre-trained large language (LLMs). The seven different corpora made combining sources, description, Security Focus , BugTraq . are evaluated in realistic time-aware fashion removing training test instances that cannot labeled “neutral” sufficient confidence. validation reveals descriptions discussions best train on. Pre-trained LLMs do not show expected performance, requiring further pre-training security domain. distill new research directions, identify possible room for improvement, envision automated systems assisting experts assessing exploitability.
Language: Английский
Citations
3
Proceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Journal Year: 2022, Volume and Issue: unknown
Published: Nov. 7, 2022
The availability of large-scale, realistic vulnerability datasets is essential both for benchmarking existing techniques and developing effective new data-driven approaches software security. Yet such are critically lacking. A promising solution to generate by injecting vulnerabilities into real-world programs, which richly available. Thus, in this paper, we explore the feasibility injection through neural code editing. With a synthetic dataset one, investigate potential gaps three state-of-the-art editors injection. We find that studied have critical limitations on dataset, where best accuracy only 10.03%, versus 79.40% dataset. While graph-based more (successfully up 34.93% testing samples) than sequence-based one (0 success), they still suffer from complex structures fall short long edits due their insufficient designs preprocessing deep learning (DL) models. reveal promise editing generating vulnerable samples, as help boost effectiveness DL-based detectors 49.51% terms F1 score. also provide insights current (e.g., good at deleting but not replacing code) actionable suggestions addressing them designing primitives).
Language: Английский
Citations
13
Energies, Journal Year: 2023, Volume and Issue: 16(13), P. 5111 - 5111
Published: July 2, 2023
This paper solves the problem of modeling scheme for developing software systems, which can be used in building solutions secure energy networks. A development is proposed a set representations through each program complex passes, namely following representations: idea, conceptual model, architecture, algorithm, source code, graphic abstract syntax tree, assembler machine byte executed code. The main properties representation are indicated, such as form (text, graphic, programming language, binary, and decoded), (transformation) methods, well vulnerabilities that detected it. An example given, particularly applied to elements (representations, vulnerabilities, forms, etc.) operations working with their (representation transformation, vulnerability injection, detection) presented an analytical form. simple networks given. classification introduced; it divides according structural level, functioning disruption, information impact. views substantiated using common exposures (CVE) database. experiment was conducted demonstrate spread across during network. features applications obtained results taken into account. advantages, disadvantages, limitations study, ways eliminate them, discussed.
Language: Английский
Citations
7
International Journal of Information Security, Journal Year: 2024, Volume and Issue: 23(2), P. 1513 - 1526
Published: Jan. 6, 2024
Language: Английский
Citations
2
Published: April 12, 2024
The number of vulnerabilities reported in open source software has increased substantially recent years. Security patches provide the necessary measures to protect from attacks and vulnerabilities. In practice, it is difficult identify whether have been integrated into software, especially if we only binary files. Therefore, ability test a patch applied target binary, a.k.a. presence test, crucial for practitioners. However, challenging obtain accurate semantic information patches, which could lead incorrect results.
Language: Английский
Citations
2
Published: Sept. 11, 2024
Language: Английский
Citations
2
Proceedings of Telecommunication Universities, Journal Year: 2023, Volume and Issue: 9(1), P. 75 - 93
Published: March 13, 2023
The investigation results of the creating programs process and resulting vulnerabilities are presented. first part articles series offers a life cycle graphical scheme representations (namely, following: Idea, Conceptual model, Architecture, 2D block diagram, Function Flowchart, Structogram, Pseudo-code, Classical code, Generation metacode, Script Assembly Abstract Syntax Tree, Machine Code, Bytecode) through which any sample program passes. main properties such indicated - purpose, form content, obtaining restoring methods, as well possible ways to detect them. A nested classification is introduced, consisting their division according structural level in program, change content functionality impact on information being processed.
Language: Английский
Citations
6
Empirical Software Engineering, Journal Year: 2023, Volume and Issue: 28(4)
Published: May 24, 2023
Software refactoring is a behavior-preserving activity to improve the source code quality without changing its external behavior. Unfortunately, it often manual and error-prone task that may induce regressions in code. Researchers have provided initial compelling evidence of relation between defects, yet little known about how much impact software security. This paper bridges this knowledge gap by presenting large-scale empirical investigation into effects on security profile applications. We conduct three-level mining repository study establish 14 types (i) security-related metrics, (ii) technical debt, (iii) introduction vulnerabilities. The covers 39 projects total amount 7,708 commits. key results show has limited connection However, Inline Method Extract Interface statistically contribute improving some aspects connected encapsulating security-critical components. Superclass Pull Up Attribute are commonly found commits violating specific best practices for writing secure Finally, & Move tend occur more contributing conclude distilling lessons learned recommendations researchers practitioners.
Language: Английский
Citations
5
Proceedings of the ACM Web Conference 2022, Journal Year: 2023, Volume and Issue: unknown, P. 2209 - 2219
Published: April 26, 2023
Recently, bug-bounty programs have gained popularity and become a significant part of the security culture many organizations. Bug-bounty enable organizations to enhance their posture by harnessing diverse expertise crowds external experts (i.e., bug hunters). Nonetheless, quantifying benefits remains elusive, which presents challenge for managing them. Previous studies focused on measuring in terms number vulnerabilities reported or based properties vulnerabilities, such as severity exploitability. However, beyond these inherent properties, value report also depends probability that vulnerability would be discovered threat actor before an internal expert could discover patch it. In this paper, we present data-driven study Chromium Firefox vulnerability-reward programs. First, estimate difficulty discovering using rediscovery novel metric. Our findings show discovery patching provide clear making it difficult actors find vulnerabilities; however, identify opportunities improvement, incentivizing hunters focus more development releases. Second, compare types are internally vs. externally those exploited actors. We observe differences between found hunters, teams, actors, indicates important benefit complementing but should incentivized likely
Language: Английский
Citations
4
Information and Software Technology, Journal Year: 2023, Volume and Issue: 164, P. 107304 - 107304
Published: July 28, 2023
Language: Английский
Citations
4