Detecting Security Patches via Behavioral Data in Code Repositories
- URL: http://arxiv.org/abs/2302.02112v1
- Date: Sat, 4 Feb 2023 06:43:07 GMT
- Title: Detecting Security Patches via Behavioral Data in Code Repositories
- Authors: Nitzan Farhi, Noam Koenigstein, Yuval Shavitt
- Abstract summary: We show a system to automatically identify security patches using only the developer behavior in the Git repository.
We showed we can reveal concealed security patches with an accuracy of 88.3% and F1 Score of 89.8%.
- Score: 11.052678122289871
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: The absolute majority of software today is developed collaboratively using
collaborative version control tools such as Git. It is a common practice that
once a vulnerability is detected and fixed, the developers behind the software
issue a Common Vulnerabilities and Exposures or CVE record to alert the user
community of the security hazard and urge them to integrate the security patch.
However, some companies might not disclose their vulnerabilities and just
update their repository. As a result, users are unaware of the vulnerability
and may remain exposed. In this paper, we present a system to automatically
identify security patches using only the developer behavior in the Git
repository without analyzing the code itself or the remarks that accompanied
the fix (commit message). We showed we can reveal concealed security patches
with an accuracy of 88.3% and F1 Score of 89.8%. This is the first time that a
language-oblivious solution for this problem is presented.
Related papers
- EmInspector: Combating Backdoor Attacks in Federated Self-Supervised Learning Through Embedding Inspection [53.25863925815954]
Federated self-supervised learning (FSSL) has emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data.
While FSSL offers advantages, its susceptibility to backdoor attacks has not been investigated.
We propose the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models.
arXiv Detail & Related papers (2024-05-21T06:14:49Z) - Measuring the Exploitation of Weaknesses in the Wild [0.0]
A weakness is a bug or fault type that can be exploited through an operation that results in a security-relevant error.
This work introduces a simple metric to determine the probability of a weakness being exploited in the wild for any 30-day window.
Our analysis reveals that 92 % of the weaknesses are not being constantly exploited.
arXiv Detail & Related papers (2024-05-02T13:49:51Z) - Toward Effective Secure Code Reviews: An Empirical Study of Security-Related Coding Weaknesses [14.134803943492345]
We conducted an empirical case study in two large open-source projects, OpenSSL and PHP.
Based on 135,560 code review comments, we found that reviewers raised security concerns in 35 out of 40 coding weakness categories.
Some coding weaknesses related to past vulnerabilities, such as memory errors and resource management, were discussed less often than the vulnerabilities.
arXiv Detail & Related papers (2023-11-28T00:49:00Z) - SyzTrust: State-aware Fuzzing on Trusted OS Designed for IoT Devices [67.65883495888258]
We present SyzTrust, the first state-aware fuzzing framework for vetting the security of resource-limited Trusted OSes.
SyzTrust adopts a hardware-assisted framework to enable fuzzing Trusted OSes directly on IoT devices.
We evaluate SyzTrust on Trusted OSes from three major vendors: Samsung, Tsinglink Cloud, and Ali Cloud.
arXiv Detail & Related papers (2023-09-26T08:11:38Z) - Security Defect Detection via Code Review: A Study of the OpenStack and
Qt Communities [7.2944322548786715]
Security defects are not prevalently discussed in code review.
More than half of the reviewers provided explicit fixing strategies/solutions to help developers fix security defects.
Disagreement between the developer and the reviewer are the main causes for not resolving security defects.
arXiv Detail & Related papers (2023-07-05T14:30:41Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - CodeLMSec Benchmark: Systematically Evaluating and Finding Security
Vulnerabilities in Black-Box Code Language Models [58.27254444280376]
Large language models (LLMs) for automatic code generation have achieved breakthroughs in several programming tasks.
Training data for these models is usually collected from the Internet (e.g., from open-source repositories) and is likely to contain faults and security vulnerabilities.
This unsanitized training data can cause the language models to learn these vulnerabilities and propagate them during the code generation procedure.
arXiv Detail & Related papers (2023-02-08T11:54:07Z) - VulCurator: A Vulnerability-Fixing Commit Detector [8.32137934421055]
VulCurator is a tool that leverages deep learning on richer sources of information.
VulCurator outperforms the state-of-the-art baselines up to 16.1% in terms of F1-score.
arXiv Detail & Related papers (2022-09-07T16:11:31Z) - VELVET: a noVel Ensemble Learning approach to automatically locate
VulnErable sTatements [62.93814803258067]
This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code.
Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph.
VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
arXiv Detail & Related papers (2021-12-20T22:45:27Z) - Early Detection of Security-Relevant Bug Reports using Machine Learning:
How Far Are We? [6.438136820117887]
In a typical maintenance scenario, security-relevant bug reports are prioritised by the development team when preparing corrective patches.
Open security-relevant bug reports can become a critical leak of sensitive information that attackers can leverage to perform zero-day attacks.
In recent years, approaches for the detection of security-relevant bug reports based on machine learning have been reported with promising performance.
arXiv Detail & Related papers (2021-12-19T11:30:29Z) - Dos and Don'ts of Machine Learning in Computer Security [74.1816306998445]
Despite great potential, machine learning in security is prone to subtle pitfalls that undermine its performance.
We identify common pitfalls in the design, implementation, and evaluation of learning-based security systems.
We propose actionable recommendations to support researchers in avoiding or mitigating the pitfalls where possible.
arXiv Detail & Related papers (2020-10-19T13:09:31Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.