PatchView: Multi-modality detection of security patches

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS Computers & Security Pub Date : 2025-01-30 DOI:10.1016/j.cose.2025.104356

Nitzan Farhi , Noam Koenigstein , Yuval Shavitt

{"title":"PatchView: Multi-modality detection of security patches","authors":"Nitzan Farhi , Noam Koenigstein , Yuval Shavitt","doi":"10.1016/j.cose.2025.104356","DOIUrl":null,"url":null,"abstract":"<div><div>Patching software become overwhelming for system administrators due to the large amounts of patch releases. Administrator should prioritize security patches to reduce the exposure to attacks, and can use for this task the Common Vulnerabilities and Exposures (CVE) system, which catalogs known security vulnerabilities in publicly released software or firmware. However, some developers choose to omit CVE publication and merely update their repositories, keeping the vulnerabilities undisclosed. Such actions leave users uninformed and potentially at risk. To this end, we present PatchView, an innovative multi-modal system tailored for the classification of commits as security patches. The system draws upon three unique data modalities associated with a commit: (1) Time-series representation of developer behavioral data within the Git repository, (2) Commit messages, and (3) The code patches. PatchView merges three single-modality sub-models, each adept at interpreting data from its designated source. A distinguishing feature of this solution is its ability to elucidate its predictions by examining the outputs of each sub-model, underscoring its interpretability. Notably, this research pioneers a language-agnostic methodology for security patch classification. Our evaluations indicate that the proposed solution can reveal concealed security patches with an accuracy of 94.52% and F1-scoreof 95.12%. The code for this paper will be made publicly available on GitHub: <span><span>https://github.com/nitzanfarhi/PatchView</span><svg><path></path></svg></span>.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"151 ","pages":"Article 104356"},"PeriodicalIF":5.4000,"publicationDate":"2025-01-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825000458","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Patching software become overwhelming for system administrators due to the large amounts of patch releases. Administrator should prioritize security patches to reduce the exposure to attacks, and can use for this task the Common Vulnerabilities and Exposures (CVE) system, which catalogs known security vulnerabilities in publicly released software or firmware. However, some developers choose to omit CVE publication and merely update their repositories, keeping the vulnerabilities undisclosed. Such actions leave users uninformed and potentially at risk. To this end, we present PatchView, an innovative multi-modal system tailored for the classification of commits as security patches. The system draws upon three unique data modalities associated with a commit: (1) Time-series representation of developer behavioral data within the Git repository, (2) Commit messages, and (3) The code patches. PatchView merges three single-modality sub-models, each adept at interpreting data from its designated source. A distinguishing feature of this solution is its ability to elucidate its predictions by examining the outputs of each sub-model, underscoring its interpretability. Notably, this research pioneers a language-agnostic methodology for security patch classification. Our evaluations indicate that the proposed solution can reveal concealed security patches with an accuracy of 94.52% and F1-scoreof 95.12%. The code for this paper will be made publicly available on GitHub: https://github.com/nitzanfarhi/PatchView.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

PatchView：安全补丁的多模式检测

由于大量的补丁发布，给软件打补丁变得让系统管理员不堪重负。管理员应该优先考虑安全补丁，以减少遭受攻击的风险，并且可以使用公共漏洞和暴露（Common Vulnerabilities and Exposures， CVE）系统来完成此任务，该系统对公开发布的软件或固件中的已知安全漏洞进行编目。然而，一些开发人员选择忽略CVE发布，仅仅更新他们的存储库，保持漏洞未公开。这样的行为会让用户不知情，并可能面临风险。为此，我们提出了PatchView，这是一个创新的多模式系统，专门用于将提交分类为安全补丁。该系统利用与提交相关的三种独特的数据模式：(1)Git存储库中开发人员行为数据的时间序列表示，(2)提交消息，(3)代码补丁。PatchView合并了三个单模态子模型，每个子模型都擅长解释来自其指定源的数据。该解决方案的一个显著特征是它能够通过检查每个子模型的输出来阐明其预测，强调其可解释性。值得注意的是，这项研究开创了一种与语言无关的安全补丁分类方法。我们的评估表明，该方案可以发现隐藏的安全补丁，准确率为94.52%，f1得分为95.12%。本文的代码将在GitHub上公开提供：https://github.com/nitzanfarhi/PatchView。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.