Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00052
Dániel Vince, Ákos Kiss
Finding the relevant part of failure-inducing inputs is an important first step on the path of debugging. If much of a test case that triggers a bug does not contribute to the actual failure, then the time required to fix the bug can increase considerably. In this paper, we focus on the memory requirements of automatic test case reduction. During minimization, the same test case might be tested multiple times, and determining the outcome of an input may take time, therefore, different caching solutions were proposed to avoid re-testing previously seen inputs. We investigated the caching solutions of DDMIN and HDD, and found that their scaling is suboptimal. We propose three optimizations for one of the state-of-the-art caching solutions: with the optimizations combined, DDMIN requires 96% and HDD requires 85% less memory compared to the baseline implementation. Furthermore, as a side effect, the reduction becomes faster by 9.9% with DDMIN.
{"title":"Cache Optimizations for Test Case Reduction","authors":"Dániel Vince, Ákos Kiss","doi":"10.1109/QRS57517.2022.00052","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00052","url":null,"abstract":"Finding the relevant part of failure-inducing inputs is an important first step on the path of debugging. If much of a test case that triggers a bug does not contribute to the actual failure, then the time required to fix the bug can increase considerably. In this paper, we focus on the memory requirements of automatic test case reduction. During minimization, the same test case might be tested multiple times, and determining the outcome of an input may take time, therefore, different caching solutions were proposed to avoid re-testing previously seen inputs. We investigated the caching solutions of DDMIN and HDD, and found that their scaling is suboptimal. We propose three optimizations for one of the state-of-the-art caching solutions: with the optimizations combined, DDMIN requires 96% and HDD requires 85% less memory compared to the baseline implementation. Furthermore, as a side effect, the reduction becomes faster by 9.9% with DDMIN.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122381555","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00049
Xiaozhen Zhang, Zhaoming Yang, Hui Kong, W. Kong
Ptolemy II is an open-source modeling and simulation tool for concurrent, real-time and embedded systems, particularly those involving hierarchical heterogeneity. Synchronous- reactive (SR) model of computation which has been implemented in Ptolemy II is commonly used to design safety-critical systems with complicated control logic. Formally verifying the correctness of hierarchical SR models is of great importance and also challenging due to the formalization of a series of specific features including, e.g., instantaneous communication between actors across the level of hierarchy, the combination of SR’s fixed-point semantic with hierarchical structure, and multiple clocks proceeding at different rates in multiclock SR models. In this paper, we tackle such challenges and propose a bounded model checking (BMC) approach to typical actors commonly used in hierarchical SR models. In addition, we implement the proposed BMC approach to hierarchical SR models in a prototype tool called Ptolemy-Z3, which has been integrated into the Ptolemy II environment. Experimental results show that Ptolemy-Z3 outperforms significantly Ptolemy-NuSMV (a verification tool provided by the Ptolemy II environment) in the verification capability of hierarchical SR models.
{"title":"Formal Verification of Hierarchical Ptolemy II Synchronous-Reactive Models with Bounded Model Checking","authors":"Xiaozhen Zhang, Zhaoming Yang, Hui Kong, W. Kong","doi":"10.1109/QRS57517.2022.00049","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00049","url":null,"abstract":"Ptolemy II is an open-source modeling and simulation tool for concurrent, real-time and embedded systems, particularly those involving hierarchical heterogeneity. Synchronous- reactive (SR) model of computation which has been implemented in Ptolemy II is commonly used to design safety-critical systems with complicated control logic. Formally verifying the correctness of hierarchical SR models is of great importance and also challenging due to the formalization of a series of specific features including, e.g., instantaneous communication between actors across the level of hierarchy, the combination of SR’s fixed-point semantic with hierarchical structure, and multiple clocks proceeding at different rates in multiclock SR models. In this paper, we tackle such challenges and propose a bounded model checking (BMC) approach to typical actors commonly used in hierarchical SR models. In addition, we implement the proposed BMC approach to hierarchical SR models in a prototype tool called Ptolemy-Z3, which has been integrated into the Ptolemy II environment. Experimental results show that Ptolemy-Z3 outperforms significantly Ptolemy-NuSMV (a verification tool provided by the Ptolemy II environment) in the verification capability of hierarchical SR models.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128814697","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00072
Peng-Xi Yang, Chao Chang, Yong Tang
The non-professional and uncertain testers in crowdsourced testing could lead to the problems of uneven test report quality, substandard test requirement coverage, a large number of repeated bug reports, and low efficiency of report reviewing. This paper designs a crowdsourced testing task assignment approach based on knowledge graph, trying to make full use of the individual advantages and crowd intelligence of crowdsourced workers in crowdsourced testing through personalized task assignment, with the goal to improve the quality of test reports and test completion efficiency. The approach includes three modules: 1) knowledge graph data acquisition: the concept of collaborative crowdsourced test is introduced, and a complete crowdsourced report submission platform is built to obtain the required data for the knowledge graph. 2) Knowledge graph feature learning: building an internal knowledge graph of the crowdsourced testing field based on the data in the platform and combining the historical task records of crowdsourced workers as input, using the machine learning model to get the crowdsourced workers’ preference for specific tasks, and integrates the three-level page coverage and bug-like status. 3) Knowledge graph task assignment: assign test tasks and audit tasks to crowdsourced workers in order to improve the coverage of test requirements and overall test efficiency. We compare the quantity and quality of bug reports in a crowdsourced test task between the task assignment system based on a knowledge graph and the system based on collaborative filtering, which proves the effectiveness of our task assignment technique.
{"title":"Crowdsourced Testing Task Assignment based on Knowledge Graphs","authors":"Peng-Xi Yang, Chao Chang, Yong Tang","doi":"10.1109/QRS57517.2022.00072","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00072","url":null,"abstract":"The non-professional and uncertain testers in crowdsourced testing could lead to the problems of uneven test report quality, substandard test requirement coverage, a large number of repeated bug reports, and low efficiency of report reviewing. This paper designs a crowdsourced testing task assignment approach based on knowledge graph, trying to make full use of the individual advantages and crowd intelligence of crowdsourced workers in crowdsourced testing through personalized task assignment, with the goal to improve the quality of test reports and test completion efficiency. The approach includes three modules: 1) knowledge graph data acquisition: the concept of collaborative crowdsourced test is introduced, and a complete crowdsourced report submission platform is built to obtain the required data for the knowledge graph. 2) Knowledge graph feature learning: building an internal knowledge graph of the crowdsourced testing field based on the data in the platform and combining the historical task records of crowdsourced workers as input, using the machine learning model to get the crowdsourced workers’ preference for specific tasks, and integrates the three-level page coverage and bug-like status. 3) Knowledge graph task assignment: assign test tasks and audit tasks to crowdsourced workers in order to improve the coverage of test requirements and overall test efficiency. We compare the quantity and quality of bug reports in a crowdsourced test task between the task assignment system based on a knowledge graph and the system based on collaborative filtering, which proves the effectiveness of our task assignment technique.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116886264","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00110
Bangchao Wang, Yang Deng, Ruiqi Luo, Huan Jin
In information retrieval-based (IR-based) requirements traceability research, a great deal of researches have focused on establishing trace links between requirements and source code. However, as the description styles of source code and requirements are very different, how to better preprocess the code is crucial for the quality of trace link generation. This paper aims to draw empirical conclusions about code feature extraction, annotation importance assessment, and annotation redundancy removal through comprehensive experiments, which impact the quality of trace links generated by IR-based methods between requirements and source code. The results show that when the average annotaion density is higher than 0.2, feature extraction is recommended. Removing redundancy from code with high annotation redundancy can enhance the quality of trace links. The above experiences can help developers to improve the quality of trace link generation and provide them with advice on writing code.
{"title":"An Empirical Study on Source Code Feature Extraction in Preprocessing of IR-Based Requirements Traceability","authors":"Bangchao Wang, Yang Deng, Ruiqi Luo, Huan Jin","doi":"10.1109/QRS57517.2022.00110","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00110","url":null,"abstract":"In information retrieval-based (IR-based) requirements traceability research, a great deal of researches have focused on establishing trace links between requirements and source code. However, as the description styles of source code and requirements are very different, how to better preprocess the code is crucial for the quality of trace link generation. This paper aims to draw empirical conclusions about code feature extraction, annotation importance assessment, and annotation redundancy removal through comprehensive experiments, which impact the quality of trace links generated by IR-based methods between requirements and source code. The results show that when the average annotaion density is higher than 0.2, feature extraction is recommended. Removing redundancy from code with high annotation redundancy can enhance the quality of trace links. The above experiences can help developers to improve the quality of trace link generation and provide them with advice on writing code.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114523167","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00042
Sebastian Hönel, Morgan Ericsson, Welf Löwe, Anna Wingkvist
Software quality models aggregate metrics to indicate quality. Most metrics reflect counts derived from events or attributes that cannot directly be associated with quality. Worse, what constitutes a desirable value for a metric may vary across contexts. We demonstrate an approach to transforming arbitrary metrics into absolute quality scores by leveraging metrics captured from similar contexts. In contrast to metrics, scores represent freestanding quality properties that are also comparable. We provide a web-based tool for obtaining contextualized scores for metrics as obtained from one’s software. Our results indicate that significant differences among various metrics and contexts exist. The suggested approach works with arbitrary contexts. Given sufficient contextual information, it allows for answering the question of whether a metric value is good/bad or common/extreme.
{"title":"Contextual Operationalization of Metrics as Scores: Is My Metric Value Good?","authors":"Sebastian Hönel, Morgan Ericsson, Welf Löwe, Anna Wingkvist","doi":"10.1109/QRS57517.2022.00042","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00042","url":null,"abstract":"Software quality models aggregate metrics to indicate quality. Most metrics reflect counts derived from events or attributes that cannot directly be associated with quality. Worse, what constitutes a desirable value for a metric may vary across contexts. We demonstrate an approach to transforming arbitrary metrics into absolute quality scores by leveraging metrics captured from similar contexts. In contrast to metrics, scores represent freestanding quality properties that are also comparable. We provide a web-based tool for obtaining contextualized scores for metrics as obtained from one’s software. Our results indicate that significant differences among various metrics and contexts exist. The suggested approach works with arbitrary contexts. Given sufficient contextual information, it allows for answering the question of whether a metric value is good/bad or common/extreme.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125709091","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00075
Kentaro Murakami, Jianjun Zhao
While the ability to build quantum computers is improving dramatically, developing quantum algorithms is very limited and relies on human insight and ingenuity. Although several quantum programming languages have been developed, it is challenging for software developers unfamiliar with quantum computing to learn and use these languages. It is, therefore, necessary to develop tools to support developing new quantum algorithms and programs automatically. This paper proposes AutoQC, an approach to automatically synthesizing quantum circuits using the neural network from input and output pairs. We consider a quantum circuit a sequence of quantum gates and synthesize a quantum circuit probabilistically by prioritizing through a neural network at each step. The experimental results highlight the ability of AutoQC to synthesize some essential quantum circuits at a lower cost.
{"title":"Automated Synthesis of Quantum Circuits using Neural Network","authors":"Kentaro Murakami, Jianjun Zhao","doi":"10.1109/QRS57517.2022.00075","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00075","url":null,"abstract":"While the ability to build quantum computers is improving dramatically, developing quantum algorithms is very limited and relies on human insight and ingenuity. Although several quantum programming languages have been developed, it is challenging for software developers unfamiliar with quantum computing to learn and use these languages. It is, therefore, necessary to develop tools to support developing new quantum algorithms and programs automatically. This paper proposes AutoQC, an approach to automatically synthesizing quantum circuits using the neural network from input and output pairs. We consider a quantum circuit a sequence of quantum gates and synthesize a quantum circuit probabilistically by prioritizing through a neural network at each step. The experimental results highlight the ability of AutoQC to synthesize some essential quantum circuits at a lower cost.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130655415","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00085
Lian Yu, Qi Jing, Ruomiao Li, Zhiya Cheng, Chang Xu
This paper improves GraphSAGE from two aspects: 1) performing a sampling compensation before the training to avoid the possible information losses due to the sampling; and 2) adding a hopping connection with the initial inputs in the aggregating phase to avert the potential loss of the initial features of nodes. The empirical study shows that FastGCN can obtain a relatively higher recall of detection but with a lower precision due to its randomness of Monte-Carlo methods and ignoring the special impacts of neighbors; while the improved GraphSAGE gets a relatively higher precision of detection but with a lower recall due to only focusing on neighbors. This paper proposes a graph-based approach to improve both precision and recall of the abnormal transaction detection by hybridizing the improved GraphSAGE with FastGCN, called ParGCN (Precision and recall), describes the mathematical formulas of the hybrid model, and analyzes the time complexity. A set of experiments on the two data-sets with significant differences of the numbers of features are performed to compare and evaluate the proposed approach to demonstrate the validity in terms of the precision and recall.
本文从两个方面对GraphSAGE进行改进:1)在训练前进行采样补偿,避免采样可能造成的信息损失;2)在聚合阶段的初始输入中加入跳跃连接,避免节点初始特征的潜在损失。实证研究表明,FastGCN由于蒙特卡罗方法的随机性和忽略了邻居的特殊影响,可以获得较高的检测召回率,但精度较低;而改进的GraphSAGE检测精度相对较高,但由于只关注邻居,召回率较低。本文提出了一种基于图的方法,通过将改进的GraphSAGE与FastGCN (precision and recall)相结合,提高异常事务检测的准确率和召回率,称为ParGCN (precision and recall),描述了混合模型的数学公式,并分析了时间复杂度。在特征数量存在显著差异的两组数据集上进行了一组实验,比较和评估了所提出的方法在查准率和查全率方面的有效性。
{"title":"ParGCN: Abnormal Transaction Detection based on Graph Neural Networks","authors":"Lian Yu, Qi Jing, Ruomiao Li, Zhiya Cheng, Chang Xu","doi":"10.1109/QRS57517.2022.00085","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00085","url":null,"abstract":"This paper improves GraphSAGE from two aspects: 1) performing a sampling compensation before the training to avoid the possible information losses due to the sampling; and 2) adding a hopping connection with the initial inputs in the aggregating phase to avert the potential loss of the initial features of nodes. The empirical study shows that FastGCN can obtain a relatively higher recall of detection but with a lower precision due to its randomness of Monte-Carlo methods and ignoring the special impacts of neighbors; while the improved GraphSAGE gets a relatively higher precision of detection but with a lower recall due to only focusing on neighbors. This paper proposes a graph-based approach to improve both precision and recall of the abnormal transaction detection by hybridizing the improved GraphSAGE with FastGCN, called ParGCN (Precision and recall), describes the mathematical formulas of the hybrid model, and analyzes the time complexity. A set of experiments on the two data-sets with significant differences of the numbers of features are performed to compare and evaluate the proposed approach to demonstrate the validity in terms of the precision and recall.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132315209","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00013
Benjamin Petit, Ahmed Khanfir, E. Soremekun, Gilles Perrouin, Mike Papadakis
Studying and exposing software vulnerabilities is important to ensure software security, safety, and reliability. Software engineers often inject vulnerabilities into their programs to test the reliability of their test suites, vulnerability detectors, and security measures. However, state-of-the-art vulnerability injection methods only capture code syntax/patterns, they do not learn the intent of the vulnerability and are limited to the syntax of the original dataset. To address this challenge, we propose the first intent-based vulnerability injection method that learns both the program syntax and vulnerability intent. Our approach applies a combination of NLP methods and semantic-preserving program mutations (at the bytecode level) to inject code vulnerabilities. Given a dataset of known vulnerabilities (containing benign and vulnerable code pairs), our approach proceeds by employing semantic-preserving program mutations to transform the existing dataset to semantically similar code. Then, it learns the intent of the vulnerability via neural machine translation (Seq2Seq) models. The key insight is to employ Seq2Seq to learn the intent (context) of the vulnerable code in a manner that is agnostic of the specific program instance. We evaluate the performance of our approach using 1275 vulnerabilities belonging to five (5) CWEs from the Juliet test suite. We examine the effectiveness of our approach in producing compilable and vulnerable code. Our results show that IntJECT is effective, almost all (99%) of the code produced by our approach is vulnerable and compilable. We also demonstrate that the vulnerable programs generated by IntJECT are semantically similar to the withheld original vulnerable code. Finally, we show that our mutation-based data transformation approach outperforms its alternatives, namely data obfuscation and using the original data.
{"title":"IntJect: Vulnerability Intent Bug Seeding","authors":"Benjamin Petit, Ahmed Khanfir, E. Soremekun, Gilles Perrouin, Mike Papadakis","doi":"10.1109/QRS57517.2022.00013","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00013","url":null,"abstract":"Studying and exposing software vulnerabilities is important to ensure software security, safety, and reliability. Software engineers often inject vulnerabilities into their programs to test the reliability of their test suites, vulnerability detectors, and security measures. However, state-of-the-art vulnerability injection methods only capture code syntax/patterns, they do not learn the intent of the vulnerability and are limited to the syntax of the original dataset. To address this challenge, we propose the first intent-based vulnerability injection method that learns both the program syntax and vulnerability intent. Our approach applies a combination of NLP methods and semantic-preserving program mutations (at the bytecode level) to inject code vulnerabilities. Given a dataset of known vulnerabilities (containing benign and vulnerable code pairs), our approach proceeds by employing semantic-preserving program mutations to transform the existing dataset to semantically similar code. Then, it learns the intent of the vulnerability via neural machine translation (Seq2Seq) models. The key insight is to employ Seq2Seq to learn the intent (context) of the vulnerable code in a manner that is agnostic of the specific program instance. We evaluate the performance of our approach using 1275 vulnerabilities belonging to five (5) CWEs from the Juliet test suite. We examine the effectiveness of our approach in producing compilable and vulnerable code. Our results show that IntJECT is effective, almost all (99%) of the code produced by our approach is vulnerable and compilable. We also demonstrate that the vulnerable programs generated by IntJECT are semantically similar to the withheld original vulnerable code. Finally, we show that our mutation-based data transformation approach outperforms its alternatives, namely data obfuscation and using the original data.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133014206","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2022-12-01DOI: 10.1109/QRS57517.2022.00115
Wenyu Zhang, Xiaojuan Wang, Shanyan Lai, Chunyang Ye, Hui Zhou
Mobile application markets usually enact policies to describe in detail the minimum requirements that an application should comply with. User comments on mobile applications contain a large amount of information that can be used to find out APP's violations of market policies in a cost-effective way. Existing state-of-the-art methods match user comments with the violations of market policies based on well-designed syntax rules, which however cannot well capture the semantics of user comments and cannot be generalized to the scenarios not covered by the rules. To address this issue, we propose an innovative method, UBC-BERT, to detect undesired behavior from user comments based on their semantics. By incorporating sentence embeddings with attention, we train a classification model for 21 groups of undesirable behaviors based on the fine-tuning of a pre-trained model BERT-BASE. The experimental results show that our solution outperforms the baseline solutions in terms of a higher precision(up to 60.5% more).
{"title":"Fine-Tuning Pre-Trained Model to Extract Undesired Behaviors from App Reviews","authors":"Wenyu Zhang, Xiaojuan Wang, Shanyan Lai, Chunyang Ye, Hui Zhou","doi":"10.1109/QRS57517.2022.00115","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00115","url":null,"abstract":"Mobile application markets usually enact policies to describe in detail the minimum requirements that an application should comply with. User comments on mobile applications contain a large amount of information that can be used to find out APP's violations of market policies in a cost-effective way. Existing state-of-the-art methods match user comments with the violations of market policies based on well-designed syntax rules, which however cannot well capture the semantics of user comments and cannot be generalized to the scenarios not covered by the rules. To address this issue, we propose an innovative method, UBC-BERT, to detect undesired behavior from user comments based on their semantics. By incorporating sentence embeddings with attention, we train a classification model for 21 groups of undesirable behaviors based on the fine-tuning of a pre-trained model BERT-BASE. The experimental results show that our solution outperforms the baseline solutions in terms of a higher precision(up to 60.5% more).","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114339266","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Decentralized cryptocurrencies are influential smart contract applications in the blockchain, drawing interest from industry and academia. The capacity to govern and manage token behavior provided by the token smart contract adds to thriving decentralized applications. However, token smart contracts face security challenges in technology weakness and manipulation risks. In this work, we briefly describe the manipulation risk and propose TokenAuditor, a fuzzing framework detecting those risks in token smart contracts. TokenAuditor constructs basic blocks based on the contract bytecodes and adopts the rarity selection and mutation strategy to generate test cases. The main idea is to select the test cases that have hit rare basic blocks since the fuzzing started as candidates and perform mutation operations on them. In our evaluation, TokenAudiotr discovered 664 manipulation risks of four types in 4021 real-world token contracts.
{"title":"TokenAuditor: Detecting Manipulation Risk in Token Smart Contract by Fuzzing","authors":"Mingpei Cao, Yueze Zhang, Zhenxuan Feng, Jiahao Hu, Yuesheng Zhu","doi":"10.1109/QRS57517.2022.00071","DOIUrl":"https://doi.org/10.1109/QRS57517.2022.00071","url":null,"abstract":"Decentralized cryptocurrencies are influential smart contract applications in the blockchain, drawing interest from industry and academia. The capacity to govern and manage token behavior provided by the token smart contract adds to thriving decentralized applications. However, token smart contracts face security challenges in technology weakness and manipulation risks. In this work, we briefly describe the manipulation risk and propose TokenAuditor, a fuzzing framework detecting those risks in token smart contracts. TokenAuditor constructs basic blocks based on the contract bytecodes and adopts the rarity selection and mutation strategy to generate test cases. The main idea is to select the test cases that have hit rare basic blocks since the fuzzing started as candidates and perform mutation operations on them. In our evaluation, TokenAudiotr discovered 664 manipulation risks of four types in 4021 real-world token contracts.","PeriodicalId":143812,"journal":{"name":"2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS)","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2022-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131869412","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: