Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study

Triet Huynh Minh Le; Xiaoning Du; M. Ali Babar

doi:10.1145/3643991.3644919

Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study

Triet Huynh Minh Le
, Xiaoning Du
, M. Ali Babar

Department of Software Systems & Cybersecurity

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

9 Citations (Scopus)

Abstract

Collecting relevant and high-quality data is integral to the development of effective Software Vulnerability (SV) prediction models. Most of the current SV datasets rely on SV-fixing commits to extract vulnerable functions and lines. However, none of these datasets have considered latent SVs existing between the introduction and fix of the collected SVs. There is also little known about the usefulness of these latent SVs for SV prediction. To bridge these gaps, we conduct a large-scale study on the latent vulnerable functions in two commonly used SV datasets and their utilization for function-level and line-level SV predictions. Leveraging the state-of-the-art SZZ algorithm, we identify more than 100k latent vulnerable functions in the studied datasets. We find that these latent functions can increase the number of SVs by 4× on average and correct up to 5k mislabeled functions, yet they have a noise level of around 6%. Despite the noise, we show that the state-of-the-art SV prediction model can significantly benefit from such latent SVs. The improvements are up to 24.5% in the performance (F1-Score) of function-level SV predictions and up to 67% in the effectiveness of localizing vulnerable lines. Overall, our study presents the first promising step toward the use of latent SVs to improve the quality of SV datasets and enhance the performance of SV prediction tasks.CCS CONCEPTS• Security and privacy → Software security engineering.

Original language	English
Title of host publication	Proceedings - 2024 IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024
Editors	Alberto Bacchelli, Eleni Constantinou
Place of Publication	New York NY USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	716-727
Number of pages	12
ISBN (Electronic)	9798400705878
DOIs	https://doi.org/10.1145/3643991.3644919
Publication status	Published - 2024
Event	IEEE International Working Conference on Mining Software Repositories 2024 - Lisbon, Portugal Duration: 15 Apr 2024 → 16 Apr 2024 Conference number: 21st https://dl.acm.org/doi/proceedings/10.1145/3643991 (Proceedings) https://2024.msrconf.org/track/msr-2024-technical-papers? (Website)

Conference

Conference	IEEE International Working Conference on Mining Software Repositories 2024
Abbreviated title	MSR 2024
Country/Territory	Portugal
City	Lisbon
Period	15/04/24 → 16/04/24
Internet address	https://dl.acm.org/doi/proceedings/10.1145/3643991 (Proceedings) https://2024.msrconf.org/track/msr-2024-technical-papers? (Website)

Keywords

Data quality
Deep learning
Software security
Software vulnerability
SZZ algorithm

Access to Document

10.1145/3643991.3644919Licence: CC BY

Cite this

Minh Le, T. H., Du, X., & Babar, M. A. (2024). Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study. In A. Bacchelli, & E. Constantinou (Eds.), Proceedings - 2024 IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024 (pp. 716-727). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1145/3643991.3644919

Minh Le, Triet Huynh ; Du, Xiaoning ; Babar, M. Ali. / Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study. Proceedings - 2024 IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024. editor / Alberto Bacchelli ; Eleni Constantinou. New York NY USA : IEEE, Institute of Electrical and Electronics Engineers, 2024. pp. 716-727

@inproceedings{f6510b4e9f884f7fa0479d6a69fba10a,

title = "Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study",

abstract = "Collecting relevant and high-quality data is integral to the development of effective Software Vulnerability (SV) prediction models. Most of the current SV datasets rely on SV-fixing commits to extract vulnerable functions and lines. However, none of these datasets have considered latent SVs existing between the introduction and fix of the collected SVs. There is also little known about the usefulness of these latent SVs for SV prediction. To bridge these gaps, we conduct a large-scale study on the latent vulnerable functions in two commonly used SV datasets and their utilization for function-level and line-level SV predictions. Leveraging the state-of-the-art SZZ algorithm, we identify more than 100k latent vulnerable functions in the studied datasets. We find that these latent functions can increase the number of SVs by 4× on average and correct up to 5k mislabeled functions, yet they have a noise level of around 6\%. Despite the noise, we show that the state-of-the-art SV prediction model can significantly benefit from such latent SVs. The improvements are up to 24.5\% in the performance (F1-Score) of function-level SV predictions and up to 67\% in the effectiveness of localizing vulnerable lines. Overall, our study presents the first promising step toward the use of latent SVs to improve the quality of SV datasets and enhance the performance of SV prediction tasks.CCS CONCEPTS• Security and privacy → Software security engineering.",

keywords = "Data quality, Deep learning, Software security, Software vulnerability, SZZ algorithm",

author = "\{Minh Le\}, \{Triet Huynh\} and Xiaoning Du and Babar, \{M. Ali\}",

note = "Funding Information: The work has been supported by the Cyber Security Research Centre Limited whose activities are partially funded by the Australian Government's Cooperative Research Centres Program. Publisher Copyright: {\textcopyright} 2024 ACM.; IEEE International Working Conference on Mining Software Repositories 2024, MSR 2024 ; Conference date: 15-04-2024 Through 16-04-2024",

year = "2024",

doi = "10.1145/3643991.3644919",

language = "English",

pages = "716--727",

editor = "Alberto Bacchelli and Eleni Constantinou",

booktitle = "Proceedings - 2024 IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

url = "https://dl.acm.org/doi/proceedings/10.1145/3643991, https://2024.msrconf.org/track/msr-2024-technical-papers?",

}

Minh Le, TH, Du, X & Babar, MA 2024, Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study. in A Bacchelli & E Constantinou (eds), Proceedings - 2024 IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024. IEEE, Institute of Electrical and Electronics Engineers, New York NY USA, pp. 716-727, IEEE International Working Conference on Mining Software Repositories 2024, Lisbon, Portugal, 15/04/24. https://doi.org/10.1145/3643991.3644919

Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study. / Minh Le, Triet Huynh; Du, Xiaoning; Babar, M. Ali.
Proceedings - 2024 IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024. ed. / Alberto Bacchelli; Eleni Constantinou. New York NY USA: IEEE, Institute of Electrical and Electronics Engineers, 2024. p. 716-727.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study

AU - Minh Le, Triet Huynh

AU - Du, Xiaoning

AU - Babar, M. Ali

N1 - Conference code: 21st

PY - 2024

Y1 - 2024

N2 - Collecting relevant and high-quality data is integral to the development of effective Software Vulnerability (SV) prediction models. Most of the current SV datasets rely on SV-fixing commits to extract vulnerable functions and lines. However, none of these datasets have considered latent SVs existing between the introduction and fix of the collected SVs. There is also little known about the usefulness of these latent SVs for SV prediction. To bridge these gaps, we conduct a large-scale study on the latent vulnerable functions in two commonly used SV datasets and their utilization for function-level and line-level SV predictions. Leveraging the state-of-the-art SZZ algorithm, we identify more than 100k latent vulnerable functions in the studied datasets. We find that these latent functions can increase the number of SVs by 4× on average and correct up to 5k mislabeled functions, yet they have a noise level of around 6%. Despite the noise, we show that the state-of-the-art SV prediction model can significantly benefit from such latent SVs. The improvements are up to 24.5% in the performance (F1-Score) of function-level SV predictions and up to 67% in the effectiveness of localizing vulnerable lines. Overall, our study presents the first promising step toward the use of latent SVs to improve the quality of SV datasets and enhance the performance of SV prediction tasks.CCS CONCEPTS• Security and privacy → Software security engineering.

AB - Collecting relevant and high-quality data is integral to the development of effective Software Vulnerability (SV) prediction models. Most of the current SV datasets rely on SV-fixing commits to extract vulnerable functions and lines. However, none of these datasets have considered latent SVs existing between the introduction and fix of the collected SVs. There is also little known about the usefulness of these latent SVs for SV prediction. To bridge these gaps, we conduct a large-scale study on the latent vulnerable functions in two commonly used SV datasets and their utilization for function-level and line-level SV predictions. Leveraging the state-of-the-art SZZ algorithm, we identify more than 100k latent vulnerable functions in the studied datasets. We find that these latent functions can increase the number of SVs by 4× on average and correct up to 5k mislabeled functions, yet they have a noise level of around 6%. Despite the noise, we show that the state-of-the-art SV prediction model can significantly benefit from such latent SVs. The improvements are up to 24.5% in the performance (F1-Score) of function-level SV predictions and up to 67% in the effectiveness of localizing vulnerable lines. Overall, our study presents the first promising step toward the use of latent SVs to improve the quality of SV datasets and enhance the performance of SV prediction tasks.CCS CONCEPTS• Security and privacy → Software security engineering.

KW - Data quality

KW - Deep learning

KW - Software security

KW - Software vulnerability

KW - SZZ algorithm

UR - https://www.scopus.com/pages/publications/85197462092

U2 - 10.1145/3643991.3644919

DO - 10.1145/3643991.3644919

M3 - Conference Paper

AN - SCOPUS:85197462092

SP - 716

EP - 727

BT - Proceedings - 2024 IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024

A2 - Bacchelli, Alberto

A2 - Constantinou, Eleni

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - New York NY USA

T2 - IEEE International Working Conference on Mining Software Repositories 2024

Y2 - 15 April 2024 through 16 April 2024

ER -

Minh Le TH, Du X, Babar MA. Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study. In Bacchelli A, Constantinou E, editors, Proceedings - 2024 IEEE/ACM 21st International Conference on Mining Software Repositories, MSR 2024. New York NY USA: IEEE, Institute of Electrical and Electronics Engineers. 2024. p. 716-727 doi: 10.1145/3643991.3644919

Are Latent Vulnerabilities Hidden Gems for Software Vulnerability Prediction? An Empirical Study

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this