PatUntrack: Automated Generating Patch Examples for Issue Reports without Tracked Insecure Code

9th IFIP International Conference on New Technologies, Mobility and Security

Slice Distance: An Insert-Only Levenshtein Distance with a Focus on Security Applications

Zeeshan Afzal, Johan Garcia, Stefan Lindskog, Anna Brunström

Published: 2018

Atlassian

Jira | Issue & Project Tracking Software

Published: 2023

Proceedings of the 2012 ACM conference on Computer and communications security

Before we knew it: an empirical study of zero-day attacks in the real world

L. Bilge, T. Dumitraş

Published: 2012

arxiv

被引用数 1

DiverseVul: A New Vulnerable Source Code Dataset for Deep Learning Based Vulnerability Detection

Yizheng Chen, Zhoujie Ding, Lamya Alowain, Xinyun Chen, David Wagner

Published: 2023.4.2

We propose and release a new vulnerable source code dataset. We curate the dataset by crawling security issue websites, extracting vulnerability-fixing commits and source codes from the corresponding projects. Our new dataset contains 18,945 vulnerable functions spanning 150 CWEs and 330,492 non-vulnerable functions extracted from 7,514 commits. Our dataset covers 295 more projects than all previous datasets combined. Combining our new dataset with previous datasets, we present an analysis of the challenges and promising research directions of using deep learning for detecting software vulnerabilities. We study 11 model architectures belonging to 4 families. Our results show that deep learning is still not ready for vulnerability detection, due to high false positive rate, low F1 score, and difficulty of detecting hard CWEs. In particular, we demonstrate an important generalization challenge for the deployment of deep learning-based models. We show that increasing the volume of training data may not further improve the performance of deep learning models for vulnerability detection, but might be useful to improve the generalization ability to unseen projects. We also identify hopeful future research directions. We demonstrate that large language models (LLMs) are a promising research direction for ML-based vulnerability detection, outperforming Graph Neural Networks (GNNs) with code-structure features in our experiments. Moreover, developing source code specific pre-training objectives is a promising research direction to improve the vulnerability detection performance.

脆弱性検出プロンプトインジェクションセキュリティラベル

IEEE Trans. Dependable Secur. Comput.

How About Bug-Triggering Paths? - Understanding and Characterizing Learning-Based Vulnerability Detectors

Xiao Cheng, Xu Nie, Ningke Li, Haoyu Wang, Zheng Zheng, Yulei Sui

Published: 2024

Proceedings of the 46th International Conference on Software Engineering: Software Engineering in Practice, ICSE-SEIP 2024

Inference for Ever-Changing Policy of Taint Analysis

Wen-Hao Chiang, Peixuan Li, Qiang Zhou, Subarno Banerjee, Martin Schäf, Yingjun Lyu, Hoan Nguyen, Omer Tripp

Published: 2024

Proceedings of the 46th IEEE/ACM International Conference on Software Engineering

PyTy: Repairing Static Type Errors in Python

Yiu Wai Chow, Luca Di Grazia, Michael Pradel

Published: 2024

Common Attack Pattern Enumeration and Classification (CAPEC)

T. M. Corporation

Published: 2011

NOMS 2020 - IEEE/IFIP Network Operations and Management Symposium

Automated Keyword Extraction from 'One-day' Vulnerabilities at Disclosure

Clément Elbaz, Louis Rilling, Christine Morin

Published: 2020

Proceedings of the 18th ACM Symposium on Operating System Principles, SOSP 2001

Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code

Dawson R. Engler, David Yu Chen, Andy Chou

Published: 2001

Llm agents can autonomously exploit one-day vulnerabilities

R. Fang, R. Bindu, A. Gupta, D. Kang

Published: 2024

CodeBERT: A pre-trained model for programming and natural languages

Zhangyin Feng, Daya Guo, Duyu Tang, et al.

Published: 2020

The Eleventh International Conference on Learning Representations

Incoder: A generative model for code infilling and synthesis

Daniel Fried, Armen Aghajanyan, Jessy Lin, Sida Wang, Eric Wallace, Freda Shi, Ruiqi Zhong, Scott Yih, Luke Zettlemoyer, Mike Lewis

Published: 2023

Proceedings of the 7th International Working Conference on Mining Software Repositories, MSR 2010

Identifying security bug reports via text mining: An industrial case study

Michael Gegick, Pete Rotella, Tao Xie

Published: 2010

ACM Computing Surveys (CSUR)

Software vulnerability analysis and discovery using machine-learning and data-mining techniques: A survey

Seyed Mohammad Ghaffarian, Hamid Reza Shahriari

Published: 2017

Proceedings of the 28th ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2019

Practical program repair via bytecode mutation

Ali Ghanbari, Samuel Benton, Lingming Zhang

Published: 2019

34th IEEE/ACM International Conference on Automated Software Engineering

PraPR: Practical Program Repair via Bytecode Mutation

Ali Ghanbari, Lingming Zhang

Published: 2019

Software Engineering Institute

The cert guide to coordinated vulnerability disclosure

Allen D Householder, Garret Wassermann, Art Manion, Chris King

Published: 2017

A Survey on Hallucination in Large Language Models: Principles, Taxonomy, Challenges, and Open Questions

Lei Huang, Weijiang Yu, Weitao Ma, Weihong Zhong, Zhangyin Feng, Haotian Wang, Qianglong Chen, Weihua Peng, Xiaocheng Feng, Bing Qin, Ting Liu

Published: 2023

IEEE Symposium on Security and Privacy, SP 2012

ReDeBug: Finding Unpatched Code Clones in Entire OS Distributions

Jiyong Jang, Abeer Agrawal, David Brumley

Published: 2012

arxiv

被引用数 1

IEEE Conference on Dependable and Secure Computing (DSC)

The Coming Era of AlphaHacking? A Survey of Automatic Software Vulnerability Detection, Exploitation and Patching Techniques

Tiantian Ji, Yue Wu, Chang Wang, Xi Zhang, Zhongru Wang

Published: 2018.5.29

With the success of the Cyber Grand Challenge (CGC) sponsored by DARPA, the topic of Autonomous Cyber Reasoning System (CRS) has recently attracted extensive attention from both industry and academia. Utilizing automated system to detect, exploit and patch software vulnerabilities seems so attractive because of its scalability and cost-efficiency compared with the human expert based solution. In this paper, we give an extensive survey of former representative works related to the underlying technologies of a CRS, including vulnerability detection, exploitation and patching. As an important supplement, we then review several pioneer studies that explore the potential of machine learning technologies in this field, and point out that the future development of Autonomous CRS is inseparable from machine learning.

プログラム解析動的分析情報セキュリティ

43rd IEEE/ACM International Conference on Software Engineering, ICSE 2021

CURE: Code-Aware Neural Machine Translation for Automatic Program Repair

Nan Jiang, Thibaud Lutellier, Lin Tan

Published: 2021

2016 IEEE first international conference on data science in cyberspace (DSC)

Survey on software vulnerability analysis method based on machine learning

Gong Jie, Kuang Xiao-Hui, Liu Qiang

Published: 2016

CoRR

Demystifying the Mysteries of Security Vulnerability Discussions on Developer Q&A Sites

Triet Huynh Minh Le, Roland Croft, David Hin, Muhammad Ali Babar

Published: 2020

Evaluation and assessment in software engineering

A Large-Scale Study of Security Vulnerability Support on Developer Q&A Websites

Triet Huynh Minh Le, Roland Croft, David Hin, Muhammad Ali Babar

Published: 2021

35th IEEE/ACM International Conference on Automated Software Engineering, ASE 2020

A Deep Multitask Learning Approach for Requirements Discovery and Annotation from Open Forum

Mingyang Li, Lin Shi, Ye Yang, Qing Wang

Published: 2020

CoRR

Chain of Knowledge: A Framework for Grounding Large Language Models with Structured Knowledge Bases

Xingxuan Li, Ruochen Zhao, Yew Ken Chia, Bosheng Ding, Lidong Bing, Shafiq R. Joty, Soujanya Poria

Published: 2023

IEEE Transactions on Dependable and Secure Computing

Sysevr: A framework for using deep learning to detect software vulnerabilities

Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.

Published: 2021

Vuldeepecker: A deep learning-based system for vulnerability detection

Zhen Li, Deqing Zou, Shouhuai Xu, Xinyu Ou, Hai Jin, Sujuan Wang, Zhijun Deng, Yuyi Zhong

Published: 2018

2016 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD)

Mlsa: A static bugs analysis tool based on llvm ir

Hongliang Liang, Lei Wang, Dongyang Wu, Jiuyun Xu

Published: 2016

Proceedings of the IEEE

Software vulnerability detection using deep neural networks: A survey

G. Lin, S. Wen, Q.-L. Han, J. Zhang, Y. Xiang

Published: 2020

Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS ’17)

POSTER: Vulnerability Discovery with Function Representation Learning from Unlabeled Projects

Guanjun Lin, Jun Zhang, Wei Luo, Lei Pan, Yang Xiang

Published: 2017

2012 fourth international conference on multimedia information networking and security

Software vulnerability discovery techniques: A survey

Bingchang Liu, Liang Shi, Zhuhua Cai, Min Li

Published: 2012

Proceedings of the 28th ACM SIGSOFT international symposium on software testing and analysis

Tbar: Revisiting template-based automated program repair.

Kui Liu, Anil Koyuncu, Dongsun Kim, Tegawendé F Bissyandé

Published: 2019

ISSTA ’20: 29th ACM SIGSOFT International Symposium on Software Testing and Analysis

CoCoNuT: combining context-aware neural translation models using ensemble for program repair

Thibaud Lutellier, Hung Viet Pham, Lawrence Pang, Yitong Li, Moshi Wei, Lin Tan

Published: 2020