Improving Vulnerability Inspection Efficiency Using Active Learning

Software engineers can find vulnerabilities with less effort if they are directed towards code that might contain more vulnerabilities. HARMLESS is an incremental support vector machine tool that builds a vulnerability prediction model from the source code inspected to date, then suggests what sourc...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	IEEE transactions on software engineering 2021-11, Vol.47 (11), p.2401-2420
Hauptverfasser:	Yu, Zhe, Theisen, Christopher, Williams, Laurie, Menzies, Tim
Format:	Artikel
Sprache:	eng
Schlagworte:	Active learning Error correction Human error Human resources Inspection Machine tools NIST Prediction models Predictive models Recall Security Software software engineering Source code Support vector machines vulnerabilities
Online-Zugang:	Volltext bestellen
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	2420
container_issue	11
container_start_page	2401
container_title	IEEE transactions on software engineering
container_volume	47
creator	Yu, Zhe Theisen, Christopher Williams, Laurie Menzies, Tim
description	Software engineers can find vulnerabilities with less effort if they are directed towards code that might contain more vulnerabilities. HARMLESS is an incremental support vector machine tool that builds a vulnerability prediction model from the source code inspected to date, then suggests what source code files should be inspected next. In this way, HARMLESS can reduce the time and effort required to achieve some desired level of recall for finding vulnerabilities. The tool also provides feedback on when to stop (at that desired level of recall) while at the same time, correcting human errors by double-checking suspicious files. This paper evaluates HARMLESS on Mozilla Firefox vulnerability data. HARMLESS found 80, 90, 95, 99 percent of the vulnerabilities by inspecting 10, 16, 20, 34 percent of the source code files. When targeting 90, 95, 99 percent recall, HARMLESS could stop after inspecting 23, 30, 47 percent of the source code files. Even when human reviewers fail to identify half of the vulnerabilities (50 percent false negative rate), HARMLESS could detect 96 percent of the missing vulnerabilities by double-checking half of the inspected files. Our results serve to highlight the very steep cost of protecting software from vulnerabilities (in our case study that cost is, for example, the human effort of inspecting 28,750 × 20% = 5,750 source code files to identify 95 percent of the vulnerabilities). While this result could benefit the mission-critical projects where human resources are available for inspecting thousands of source code files, the research challenge for future work is how to further reduce that cost. The conclusion of this paper discusses various ways that goal might be achieved.
doi_str_mv	10.1109/TSE.2019.2949275
format	Article
fullrecord	<record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_2596784015</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>8883076</ieee_id><sourcerecordid>2596784015</sourcerecordid><originalsourceid>FETCH-LOGICAL-c333t-d19b820ede08fda4462f0cf5edf4272eb353d0ccae5a106f92881144187485fa3</originalsourceid><addsrcrecordid>eNo9kE1rAjEQhkNpodb2Xuhloee1k69NchSxVhB6qPYaYnZSIrprk1Xw33dF6WmY4XlnhoeQZwojSsG8Lb-mIwbUjJgRhil5QwbUcFNyyeCWDACMLqXU5p485LwBAKmUHJDJfLdP7TE2P8X3Ydtgcuu4jd2pmDd5j76LbVNMQ4g-YuNPxSqfyXE_P2KxQJeavn8kd8FtMz5d65Cs3qfLyUe5-JzNJ-NF6TnnXVlTs9YMsEbQoXZCVCyADxLrIJhiuOaS1-C9Q-koVMEwrSkVgmoltAyOD8nrZW__8e8Bc2c37SE1_UnLpKmUFkBlT8GF8qnNOWGw-xR3Lp0sBXtWZXtV9qzKXlX1kZdLJCLiP6615qAq_gfvn2Tb</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2596784015</pqid></control><display><type>article</type><title>Improving Vulnerability Inspection Efficiency Using Active Learning</title><source>IEEE Electronic Library (IEL)</source><creator>Yu, Zhe ; Theisen, Christopher ; Williams, Laurie ; Menzies, Tim</creator><creatorcontrib>Yu, Zhe ; Theisen, Christopher ; Williams, Laurie ; Menzies, Tim</creatorcontrib><description>Software engineers can find vulnerabilities with less effort if they are directed towards code that might contain more vulnerabilities. HARMLESS is an incremental support vector machine tool that builds a vulnerability prediction model from the source code inspected to date, then suggests what source code files should be inspected next. In this way, HARMLESS can reduce the time and effort required to achieve some desired level of recall for finding vulnerabilities. The tool also provides feedback on when to stop (at that desired level of recall) while at the same time, correcting human errors by double-checking suspicious files. This paper evaluates HARMLESS on Mozilla Firefox vulnerability data. HARMLESS found 80, 90, 95, 99 percent of the vulnerabilities by inspecting 10, 16, 20, 34 percent of the source code files. When targeting 90, 95, 99 percent recall, HARMLESS could stop after inspecting 23, 30, 47 percent of the source code files. Even when human reviewers fail to identify half of the vulnerabilities (50 percent false negative rate), HARMLESS could detect 96 percent of the missing vulnerabilities by double-checking half of the inspected files. Our results serve to highlight the very steep cost of protecting software from vulnerabilities (in our case study that cost is, for example, the human effort of inspecting 28,750 × 20% = 5,750 source code files to identify 95 percent of the vulnerabilities). While this result could benefit the mission-critical projects where human resources are available for inspecting thousands of source code files, the research challenge for future work is how to further reduce that cost. The conclusion of this paper discusses various ways that goal might be achieved.</description><identifier>ISSN: 0098-5589</identifier><identifier>EISSN: 1939-3520</identifier><identifier>DOI: 10.1109/TSE.2019.2949275</identifier><identifier>CODEN: IESEDJ</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Active learning ; Error correction ; Human error ; Human resources ; Inspection ; Machine tools ; NIST ; Prediction models ; Predictive models ; Recall ; Security ; Software ; software engineering ; Source code ; Support vector machines ; vulnerabilities</subject><ispartof>IEEE transactions on software engineering, 2021-11, Vol.47 (11), p.2401-2420</ispartof><rights>Copyright IEEE Computer Society 2021</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c333t-d19b820ede08fda4462f0cf5edf4272eb353d0ccae5a106f92881144187485fa3</citedby><cites>FETCH-LOGICAL-c333t-d19b820ede08fda4462f0cf5edf4272eb353d0ccae5a106f92881144187485fa3</cites><orcidid>0000-0002-5040-3196 ; 0000-0002-6841-1725 ; 0000-0003-3300-6540</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/8883076$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,27903,27904,54736</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/8883076$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Yu, Zhe</creatorcontrib><creatorcontrib>Theisen, Christopher</creatorcontrib><creatorcontrib>Williams, Laurie</creatorcontrib><creatorcontrib>Menzies, Tim</creatorcontrib><title>Improving Vulnerability Inspection Efficiency Using Active Learning</title><title>IEEE transactions on software engineering</title><addtitle>TSE</addtitle><description>Software engineers can find vulnerabilities with less effort if they are directed towards code that might contain more vulnerabilities. HARMLESS is an incremental support vector machine tool that builds a vulnerability prediction model from the source code inspected to date, then suggests what source code files should be inspected next. In this way, HARMLESS can reduce the time and effort required to achieve some desired level of recall for finding vulnerabilities. The tool also provides feedback on when to stop (at that desired level of recall) while at the same time, correcting human errors by double-checking suspicious files. This paper evaluates HARMLESS on Mozilla Firefox vulnerability data. HARMLESS found 80, 90, 95, 99 percent of the vulnerabilities by inspecting 10, 16, 20, 34 percent of the source code files. When targeting 90, 95, 99 percent recall, HARMLESS could stop after inspecting 23, 30, 47 percent of the source code files. Even when human reviewers fail to identify half of the vulnerabilities (50 percent false negative rate), HARMLESS could detect 96 percent of the missing vulnerabilities by double-checking half of the inspected files. Our results serve to highlight the very steep cost of protecting software from vulnerabilities (in our case study that cost is, for example, the human effort of inspecting 28,750 × 20% = 5,750 source code files to identify 95 percent of the vulnerabilities). While this result could benefit the mission-critical projects where human resources are available for inspecting thousands of source code files, the research challenge for future work is how to further reduce that cost. The conclusion of this paper discusses various ways that goal might be achieved.</description><subject>Active learning</subject><subject>Error correction</subject><subject>Human error</subject><subject>Human resources</subject><subject>Inspection</subject><subject>Machine tools</subject><subject>NIST</subject><subject>Prediction models</subject><subject>Predictive models</subject><subject>Recall</subject><subject>Security</subject><subject>Software</subject><subject>software engineering</subject><subject>Source code</subject><subject>Support vector machines</subject><subject>vulnerabilities</subject><issn>0098-5589</issn><issn>1939-3520</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kE1rAjEQhkNpodb2Xuhloee1k69NchSxVhB6qPYaYnZSIrprk1Xw33dF6WmY4XlnhoeQZwojSsG8Lb-mIwbUjJgRhil5QwbUcFNyyeCWDACMLqXU5p485LwBAKmUHJDJfLdP7TE2P8X3Ydtgcuu4jd2pmDd5j76LbVNMQ4g-YuNPxSqfyXE_P2KxQJeavn8kd8FtMz5d65Cs3qfLyUe5-JzNJ-NF6TnnXVlTs9YMsEbQoXZCVCyADxLrIJhiuOaS1-C9Q-koVMEwrSkVgmoltAyOD8nrZW__8e8Bc2c37SE1_UnLpKmUFkBlT8GF8qnNOWGw-xR3Lp0sBXtWZXtV9qzKXlX1kZdLJCLiP6615qAq_gfvn2Tb</recordid><startdate>20211101</startdate><enddate>20211101</enddate><creator>Yu, Zhe</creator><creator>Theisen, Christopher</creator><creator>Williams, Laurie</creator><creator>Menzies, Tim</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><scope>K9.</scope><orcidid>https://orcid.org/0000-0002-5040-3196</orcidid><orcidid>https://orcid.org/0000-0002-6841-1725</orcidid><orcidid>https://orcid.org/0000-0003-3300-6540</orcidid></search><sort><creationdate>20211101</creationdate><title>Improving Vulnerability Inspection Efficiency Using Active Learning</title><author>Yu, Zhe ; Theisen, Christopher ; Williams, Laurie ; Menzies, Tim</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c333t-d19b820ede08fda4462f0cf5edf4272eb353d0ccae5a106f92881144187485fa3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Active learning</topic><topic>Error correction</topic><topic>Human error</topic><topic>Human resources</topic><topic>Inspection</topic><topic>Machine tools</topic><topic>NIST</topic><topic>Prediction models</topic><topic>Predictive models</topic><topic>Recall</topic><topic>Security</topic><topic>Software</topic><topic>software engineering</topic><topic>Source code</topic><topic>Support vector machines</topic><topic>vulnerabilities</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Yu, Zhe</creatorcontrib><creatorcontrib>Theisen, Christopher</creatorcontrib><creatorcontrib>Williams, Laurie</creatorcontrib><creatorcontrib>Menzies, Tim</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Health & Medical Complete (Alumni)</collection><jtitle>IEEE transactions on software engineering</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Yu, Zhe</au><au>Theisen, Christopher</au><au>Williams, Laurie</au><au>Menzies, Tim</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Improving Vulnerability Inspection Efficiency Using Active Learning</atitle><jtitle>IEEE transactions on software engineering</jtitle><stitle>TSE</stitle><date>2021-11-01</date><risdate>2021</risdate><volume>47</volume><issue>11</issue><spage>2401</spage><epage>2420</epage><pages>2401-2420</pages><issn>0098-5589</issn><eissn>1939-3520</eissn><coden>IESEDJ</coden><abstract>Software engineers can find vulnerabilities with less effort if they are directed towards code that might contain more vulnerabilities. HARMLESS is an incremental support vector machine tool that builds a vulnerability prediction model from the source code inspected to date, then suggests what source code files should be inspected next. In this way, HARMLESS can reduce the time and effort required to achieve some desired level of recall for finding vulnerabilities. The tool also provides feedback on when to stop (at that desired level of recall) while at the same time, correcting human errors by double-checking suspicious files. This paper evaluates HARMLESS on Mozilla Firefox vulnerability data. HARMLESS found 80, 90, 95, 99 percent of the vulnerabilities by inspecting 10, 16, 20, 34 percent of the source code files. When targeting 90, 95, 99 percent recall, HARMLESS could stop after inspecting 23, 30, 47 percent of the source code files. Even when human reviewers fail to identify half of the vulnerabilities (50 percent false negative rate), HARMLESS could detect 96 percent of the missing vulnerabilities by double-checking half of the inspected files. Our results serve to highlight the very steep cost of protecting software from vulnerabilities (in our case study that cost is, for example, the human effort of inspecting 28,750 × 20% = 5,750 source code files to identify 95 percent of the vulnerabilities). While this result could benefit the mission-critical projects where human resources are available for inspecting thousands of source code files, the research challenge for future work is how to further reduce that cost. The conclusion of this paper discusses various ways that goal might be achieved.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TSE.2019.2949275</doi><tpages>20</tpages><orcidid>https://orcid.org/0000-0002-5040-3196</orcidid><orcidid>https://orcid.org/0000-0002-6841-1725</orcidid><orcidid>https://orcid.org/0000-0003-3300-6540</orcidid><oa>free_for_read</oa></addata></record>
fulltext	fulltext_linktorsrc
identifier	ISSN: 0098-5589
ispartof	IEEE transactions on software engineering, 2021-11, Vol.47 (11), p.2401-2420
issn	0098-5589 1939-3520
language	eng
recordid	cdi_proquest_journals_2596784015
source	IEEE Electronic Library (IEL)
subjects	Active learning Error correction Human error Human resources Inspection Machine tools NIST Prediction models Predictive models Recall Security Software software engineering Source code Support vector machines vulnerabilities
title	Improving Vulnerability Inspection Efficiency Using Active Learning
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-25T16%3A19%3A42IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Improving%20Vulnerability%20Inspection%20Efficiency%20Using%20Active%20Learning&rft.jtitle=IEEE%20transactions%20on%20software%20engineering&rft.au=Yu,%20Zhe&rft.date=2021-11-01&rft.volume=47&rft.issue=11&rft.spage=2401&rft.epage=2420&rft.pages=2401-2420&rft.issn=0098-5589&rft.eissn=1939-3520&rft.coden=IESEDJ&rft_id=info:doi/10.1109/TSE.2019.2949275&rft_dat=%3Cproquest_RIE%3E2596784015%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2596784015&rft_id=info:pmid/&rft_ieee_id=8883076&rfr_iscdi=true