Domain knowledge-based security bug reports prediction

To eliminate security attack risks of software products, the security bug report (SBR) prediction has been increasingly investigated. However, there is still much room for improving the performance of automatic SBR prediction. This work is inspired by the work of two recent studies proposed by Peter...

Full description

Saved in:
Bibliographic Details
Published inKnowledge-based systems Vol. 241; p. 108293
Main Authors Zheng, Wei, Cheng, JingYuan, Wu, Xiaoxue, Sun, Ruiyang, Wang, Xiaolong, Sun, Xiaobing
Format Journal Article
LanguageEnglish
Published Amsterdam Elsevier B.V 06.04.2022
Elsevier Science Ltd
Subjects
Debugging
Domain knowledge
Domains
Entity recognition
Enumeration
Knowledge graph
Knowledge representation
Machine learning
Security
Security bug report prediction
Software engineering
Software security
Entity recognition
Security bug report prediction
Domain knowledge
Software security
Knowledge graph
Online AccessGet full text

Cover

More Information
Summary:To eliminate security attack risks of software products, the security bug report (SBR) prediction has been increasingly investigated. However, there is still much room for improving the performance of automatic SBR prediction. This work is inspired by the work of two recent studies proposed by Peters et al. and Wu et al., which focused on SBR prediction and have been published on the top tier journal TSE (IEEE Transactions on Software Engineering). The goal of this work is to improve the effectiveness of supervised machine learning-based SBR prediction with the help of software security domain knowledge. First, we split the words in summary and description fields of the SBRs. Then, we use customized relationships to label entities and build a rule-based entity recognition corpus. After that, we establish relationships between entities and construct knowledge graphs. The information of CWE (Common Weakness Enumeration) is used to expand our corpus and the security-related words and phrases are integrated. Finally, we predict SBRs from target project by calculating the cosine similarity between our integrated corpus and the target bug reports. Our experimental evaluation on 5 open-source SBR datasets shows that our domain knowledge-guided approach could improve the effectiveness of SBRs prediction by 52% in terms of F1-score on average.
ISSN:0950-7051
1872-7409
DOI:10.1016/j.knosys.2022.108293