Improving the Performance of Code Vulnerability Prediction using Abstract Syntax Tree Information (PROMISE'22)

Write a Blog >>

Mon 14 - Fri 18 November 2022 Singapore

Who

Fahad Al Debeyan, Tracy Hall, David Bowes

Track

PROMISE'22

Time Zone

The program is currently displayed in (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi.

Use conference time zone: (GMT+08:00) Beijing, Chongqing, Hong Kong, UrumqiSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Fri 18 Nov 2022 14:00 - 14:20 at Town Plaza GLR - Prediction Models

Abstract

The recent emergence of the Log4jshell vulnerability demonstrates the importance of detecting code vulnerabilities in software systems. Software Vulnerability Prediction Models (VPMs) are a promising tool for such vulnerability detection. Recent studies have focused on improving the performance of models to predict whether a piece of code is vulnerable or not (binary classification). However, such approaches are limited because they do not provide developers with information on the type of vulnerability that needs to be patched. We present our multi-class classification approach to improve the performance of vulnerability prediction models. Our approach uses abstract syntax tree n-grams to identify code clusters related to specific vulnerabilities. We evaluated our approach using real-world Java software vulnerability data. We report increased predictive performance compared to a variety of other models, for example, F-measure increases from 55% to 75% and MCC increases from 48% to 74%. Our results suggest that clustering software vulnerabilities using AST n-gram information is a promising approach to improve vulnerability prediction and enable specific information about the vulnerability type to be provided.

Fahad Al Debeyan

Lancaster University

Tracy Hall

Lancaster University

David Bowes

Lancaster University

United Kingdom

Time Zone

The program is currently displayed in (GMT+08:00) Beijing, Chongqing, Hong Kong, Urumqi.

Use conference time zone: (GMT+08:00) Beijing, Chongqing, Hong Kong, UrumqiSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Fri 18 Nov
Displayed time zone: Beijing, Chongqing, Hong Kong, Urumqi change

14:00 - 15:30	Prediction ModelsPROMISE at Town Plaza GLR

14:00 20m Research paper		Improving the Performance of Code Vulnerability Prediction using Abstract Syntax Tree Information PROMISE Fahad Al Debeyan Lancaster University, Tracy Hall Lancaster University, David Bowes Lancaster University
14:20 20m Research paper		Feature sets in just-in-time defect prediction: An empirical evaluation PROMISE Peter Bludau fortiss GmbH, Alexander Pretschner Technical University of Munich
14:40 20m Research paper		Predicting Build Outcomes In Continuous Integration Using Textual Analysis of Source Code Commits PROMISE Khaled Al-Sabbagh University of Gothenburg, Miroslaw Staron University of Gothenburg, Regina Hebig University of Gothenburg
15:00 20m Research paper		Identifying security-related requirements in regulatory documents based on cross-project classification PROMISE Mazen Mohamad Chalmers and University of Gothenburg, Jan-Philipp Steghöfer XITASO GmbH IT & Software Solutions, Alexander Åström Volvo GTT, Riccardo Scandariato Hamburg University of Technology