Automated identification of libraries from vulnerability data

“…While XML techniques were shown to be effective in the experiments of prior studies [6], [10], we observe that there are practical concerns that need to be addressed. Every year, new libraries are included in the NVD.…”

“…We performed an empirical study of the number of new libraries with vulnerabilities each year. Our analysis indicates that up to 70% libraries associated up to 50.7% of vulnerability reports each year cannot be correctly identified by the previously proposed approaches [6], [10]. As the training dataset would not contain any NVD entries related to the libraries, the XML techniques would not correctly identify vulnerabilities related to these libraries.…”

“…These characteristics present challenges for traditional Machine Learning techniques but are addressed by XML techniques. A recent study by Haryono et al [10] assessed recent XML techniques on the task. Their experiments revealed that the deep learningbased approach, LightXML [11], led to the greatest increase in performance among recently proposed XML techniques.…”

“…In this work, following prior works [6], [10], we formulate the problem of library identification from vulnerability reports as an XML problem, where vulnerability reports and possible libraries, which can be enumerated from package managers, e.g., npm, pypi,... are considered documents and labels, respectively. If security researchers believe that particular versions of the libraries are noteworthy [6], the vulnerability report may be labelled with specific versions of the affected library (e.g.…”

“…Characterized by the sparsity of the data and the large space of possible labels, XML problems are challenging for standard machine learning approaches. Recently, Haryono et al [10] found that the most effective XML approach for library identification is a deep learning-based XML approach, LightXML [11].…”

CHRONOS: Time-Aware Zero-Shot Identification of Libraries from Vulnerability Reports

“…While XML techniques were shown to be effective in the experiments of prior studies [6], [10], we observe that there are practical concerns that need to be addressed. Every year, new libraries are included in the NVD.…”

“…We performed an empirical study of the number of new libraries with vulnerabilities each year. Our analysis indicates that up to 70% libraries associated up to 50.7% of vulnerability reports each year cannot be correctly identified by the previously proposed approaches [6], [10]. As the training dataset would not contain any NVD entries related to the libraries, the XML techniques would not correctly identify vulnerabilities related to these libraries.…”

“…These characteristics present challenges for traditional Machine Learning techniques but are addressed by XML techniques. A recent study by Haryono et al [10] assessed recent XML techniques on the task. Their experiments revealed that the deep learningbased approach, LightXML [11], led to the greatest increase in performance among recently proposed XML techniques.…”

“…In this work, following prior works [6], [10], we formulate the problem of library identification from vulnerability reports as an XML problem, where vulnerability reports and possible libraries, which can be enumerated from package managers, e.g., npm, pypi,... are considered documents and labels, respectively. If security researchers believe that particular versions of the libraries are noteworthy [6], the vulnerability report may be labelled with specific versions of the affected library (e.g.…”

“…Characterized by the sparsity of the data and the large space of possible labels, XML problems are challenging for standard machine learning approaches. Recently, Haryono et al [10] found that the most effective XML approach for library identification is a deep learning-based XML approach, LightXML [11].…”

CHRONOS: Time-Aware Zero-Shot Identification of Libraries from Vulnerability Reports

CHRONOS: Time-Aware Zero-Shot Identification of Libraries from Vulnerability Reports

Topic Recommendation for GitHub Repositories: How Far Can Extreme Multi-Label Learning Go?