A Self-adaptive Approach for Assessing the Criticality of Security-Related Static Analysis Alerts

Autor: Ilias Kalouptsoglou, Miltiadis G. Siavvas, Dionisis D. Kehagias, Dimitrios Tsoukalas
Jazyk: angličtina
Rok vydání: 2021
Předmět:
Zdroj: Computational Science and Its Applications – ICCSA 2021 ISBN: 9783030870065
ICCSA (7)
The 21st International Conference on Computational Science and Its Applications
Lecture Notes in Computer Science
Lecture Notes in Computer Science-Computational Science and Its Applications – ICCSA 2021
ORCID
Microsoft Academic Graph
ZENODO
ISSN: 0302-9743
1611-3349
Popis: Despite the acknowledged ability of automated static analysisto detect software vulnerabilities, its adoption in practice is limited, mainly due to the large number of false alerts (i.e., false positives) that it generates. Although several machine learning-based techniques for assessingthe actionability of the produced alerts and for filtering out false positives have been proposed, none of them have demonstrated sufficient results, whereas limited attempts focus on assessing the criticality of the alerts from a security viewpoint. To this end, in the present paper we propose an approach for assessing the criticality of security-related static analysis alerts. In particular, we develop a machine learning-based technique for prioritizing and classifying security-related static analysis alerts based on their criticality, by considering information retrieved from the alerts themselves, vulnerability prediction models, and user feedback.The concept of retraining is also adopted to enable the model to correct itself and adapt to previously unknown software products. The technique has been evaluated through a case study, which revealed its capacity to effectively assess the criticality of alerts of previously unknown projects,as well as its ability to dynamically adapt to the characteristics of the new project and provide more accurate assessments through retraining.
Databáze: OpenAIRE
Externí odkaz: