{"title":"使用多种代码表示来确定静态分析警告的优先级","authors":"Thanh Vu, H. Vo","doi":"10.1109/KSE56063.2022.9953786","DOIUrl":null,"url":null,"abstract":"In order to ensure the quality of software and prevent attacks from hackers on critical systems, static analysis tools are frequently utilized to detect vulnerabilities in the early development phase. However, these tools often report a large number of warnings with a high false-positive rate, which causes many difficulties for developers. In this paper, we introduce VULRG, a novel approach to address this problem. Specifically, VuLRG predicts and ranks the warnings based on their likelihoods to be true positives. To predict these likelihoods, VuLRG combines two deep learning models CNN and BiGRU to capture the context of each warning in terms of program syntax, control flow, and program dependence. Our experimental results on a real-world dataset of 6,620 warnings show that VuLRG’s Recall at Top-50% is 90%. This means that using VuLRG, 90% of the vulnerabilities can be found by examining only 50% of the warnings. Moreover, at Top-5%, VULRG can improve the state-of-the-art approach by +30% in both Precision and Recall.","PeriodicalId":330865,"journal":{"name":"2022 14th International Conference on Knowledge and Systems Engineering (KSE)","volume":"55 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"Using Multiple Code Representations to Prioritize Static Analysis Warnings\",\"authors\":\"Thanh Vu, H. Vo\",\"doi\":\"10.1109/KSE56063.2022.9953786\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In order to ensure the quality of software and prevent attacks from hackers on critical systems, static analysis tools are frequently utilized to detect vulnerabilities in the early development phase. However, these tools often report a large number of warnings with a high false-positive rate, which causes many difficulties for developers. In this paper, we introduce VULRG, a novel approach to address this problem. Specifically, VuLRG predicts and ranks the warnings based on their likelihoods to be true positives. To predict these likelihoods, VuLRG combines two deep learning models CNN and BiGRU to capture the context of each warning in terms of program syntax, control flow, and program dependence. Our experimental results on a real-world dataset of 6,620 warnings show that VuLRG’s Recall at Top-50% is 90%. This means that using VuLRG, 90% of the vulnerabilities can be found by examining only 50% of the warnings. Moreover, at Top-5%, VULRG can improve the state-of-the-art approach by +30% in both Precision and Recall.\",\"PeriodicalId\":330865,\"journal\":{\"name\":\"2022 14th International Conference on Knowledge and Systems Engineering (KSE)\",\"volume\":\"55 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-09-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2022 14th International Conference on Knowledge and Systems Engineering (KSE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/KSE56063.2022.9953786\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 14th International Conference on Knowledge and Systems Engineering (KSE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/KSE56063.2022.9953786","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Using Multiple Code Representations to Prioritize Static Analysis Warnings
In order to ensure the quality of software and prevent attacks from hackers on critical systems, static analysis tools are frequently utilized to detect vulnerabilities in the early development phase. However, these tools often report a large number of warnings with a high false-positive rate, which causes many difficulties for developers. In this paper, we introduce VULRG, a novel approach to address this problem. Specifically, VuLRG predicts and ranks the warnings based on their likelihoods to be true positives. To predict these likelihoods, VuLRG combines two deep learning models CNN and BiGRU to capture the context of each warning in terms of program syntax, control flow, and program dependence. Our experimental results on a real-world dataset of 6,620 warnings show that VuLRG’s Recall at Top-50% is 90%. This means that using VuLRG, 90% of the vulnerabilities can be found by examining only 50% of the warnings. Moreover, at Top-5%, VULRG can improve the state-of-the-art approach by +30% in both Precision and Recall.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
