Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
80 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Challenging Machine Learning Algorithms in Predicting Vulnerable JavaScript Functions (2405.07213v1)

Published 12 May 2024 in cs.CR and cs.SE

Abstract: The rapid rise of cyber-crime activities and the growing number of devices threatened by them place software security issues in the spotlight. As around 90% of all attacks exploit known types of security issues, finding vulnerable components and applying existing mitigation techniques is a viable practical approach for fighting against cyber-crime. In this paper, we investigate how the state-of-the-art machine learning techniques, including a popular deep learning algorithm, perform in predicting functions with possible security vulnerabilities in JavaScript programs. We applied 8 machine learning algorithms to build prediction models using a new dataset constructed for this research from the vulnerability information in public databases of the Node Security Project and the Snyk platform, and code fixing patches from GitHub. We used static source code metrics as predictors and an extensive grid-search algorithm to find the best performing models. We also examined the effect of various re-sampling strategies to handle the imbalanced nature of the dataset. The best performing algorithm was KNN, which created a model for the prediction of vulnerable functions with an F-measure of 0.76 (0.91 precision and 0.66 recall). Moreover, deep learning, tree and forest based classifiers, and SVM were competitive with F-measures over 0.70. Although the F-measures did not vary significantly with the re-sampling strategies, the distribution of precision and recall did change. No re-sampling seemed to produce models preferring high precision, while re-sampling strategies balanced the IR measures.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (23)
  1. N. R. Mead, J. H. Allen, M. Ardis, T. B. Hilburn, A. J. Kornecki, R. Linger, and J. McDonald, “Software assurance curriculum project volume 1: Master of software assurance reference curriculum,” CARNEGIE-MELLON UNIV. PITTSBURGH PA SOFTW. ENG. INST., Tech. Rep., 2010.
  2. Y. Shin and L. A. Williams, “Can traditional fault prediction models be used for vulnerability prediction?” Empirical Software Engineering, vol. 18, pp. 25–59, 2011.
  3. T. Zimmermann, N. Nagappan, and L. Williams, “Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista,” in 2010 Third International Conference onSoftware Testing, Verification and Validation (ICST).   IEEE, 2010, pp. 421–428.
  4. M. Jimenez, Y. Le Traon, and M. Papadakis, “Enabling the Continous Analysis of Security Vulnerabilities with VulData7,” in IEEE International Working Conference on Source Code Analysis and Manipulation, 2018, pp. 56–61.
  5. S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, “Predicting vulnerable software components,” in Proceedings of the ACM Conference on Computer and Communications Security, 01 2007, pp. 529–540.
  6. Y. Shin, A. Meneely, L. Williams, and J. A. Osborne, “Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities,” IEEE Trans. Softw. Eng., vol. 37, no. 6, pp. 772–787, Nov. 2011.
  7. Z. Yu, C. Theisen, H. Sohn, L. Williams, and T. Menzies, “Cost-aware vulnerability prediction: the HARMLESS approach,” CoRR, vol. abs/1803.06545, 2018.
  8. P. Morrison, K. Herzig, B. Murphy, and L. A. Williams, “Challenges with applying vulnerability prediction models,” in HotSoS, 2015.
  9. I. Chowdhury and M. Zulkernine, “Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities,” Journal of Systems Architecture, vol. 57, no. 3, pp. 294–313, 2011.
  10. Y. Shin and L. Williams, “An empirical model to predict security vulnerabilities using code complexity metrics,” in Proceedings of the Second ACM-IEEE international symposium on Empirical software engineering and measurement.   ACM, 2008, pp. 315–317.
  11. A. Gkortzis, D. Mitropoulos, and D. Spinellis, “VulinOSS: a dataset of security vulnerabilities in open-source systems,” in Proceedings of the 15th International Conference on Mining Software Repositories.   ACM, 2018, pp. 18–21.
  12. “Node Security Platform - GitHub,” https://github.com/nodesecurity/nsp, Accessed: 2018-10-16.
  13. “Vulnerability DB — Snyk,” https://snyk.io/vuln, Accessed: 2018-10-16.
  14. “OpenStaticAnalyzer - GitHub,” https://github.com/sed-inf-u-szeged/OpenStaticAnalyzer, Accessed: 2018-10-16.
  15. “escomplex - GitHub,” https://github.com/escomplex/escomplex, Accessed: 2018-10-16.
  16. M. Siavvas, D. Kehagias, and D. Tzovaras, “A preliminary study on the relationship among software metrics and specific vulnerability types,” in 2017 International Conference on Computational Science and Computational Intelligence – Symposium on Software Engineering (CSCI-ISSE), 12 2017.
  17. S. R. Chidamber and C. F. Kemerer, “A metrics suite for object oriented design,” IEEE Transactions on software engineering, vol. 20, no. 6, pp. 476–493, 1994.
  18. E. Pengő and P. Gál, “Grasping primitive enthusiasm - approaching primitive obsession in steps,” in Proceedings of the 13th International Conference on Software Technologies (ICSOFT), 2018, pp. 423–430.
  19. K. C. Chatzidimitriou, M. D. Papamichail, T. Diamantopoulos, M. Tsapanos, and A. L. Symeonidis, “Npm-miner: An infrastructure for measuring the quality of the npm registry,” in Proceedings of the 15th International Conference on Mining Software Repositories, ser. MSR ’18.   New York, NY, USA: ACM, 2018, pp. 42–45.
  20. C. L. Mariano, “Benchmarking javascript frameworks,” Ph.D. dissertation, Dublin Institute of Technology, 2017.
  21. M. Abadi, P. Barham, J. Chen, Z. Chen, A. Davis, J. Dean, M. Devin, S. Ghemawat, G. Irving, M. Isard et al., “Tensorflow: a system for large-scale machine learning.” in OSDI, vol. 16, 2016, pp. 265–283.
  22. J. S. Bergstra, R. Bardenet, Y. Bengio, and B. Kégl, “Algorithms for hyper-parameter optimization,” in Advances in neural information processing systems, 2011, pp. 2546–2554.
  23. G. E. A. P. A. Batista, R. C. Prati, and M. C. Monard, “A study of the behavior of several methods for balancing machine learning training data,” SIGKDD Explor. Newsl., vol. 6, no. 1, pp. 20–29, Jun. 2004.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Rudolf Ferenc (12 papers)
  2. Péter Hegedűs (13 papers)
  3. Péter Gyimesi (2 papers)
  4. Gábor Antal (10 papers)
  5. Dénes Bán (2 papers)
  6. Tibor Gyimóthy (4 papers)
Citations (26)
View on Semantic Scholar
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets