ISA: A Source Code Static Vulnerability Detection System Based on Data Fusion

Kong, Deguang; Zheng, Qian; Chen, Chao; Shuai, Jianmei; Zhu, Meifang

doi:10.4108/infoscale.2007.910

Cited by 10 publications

(9 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Kong et al [34] show that the alert prioritization generated via data fusion of redundant alerts performed better than the alert prioritization's of the individual tools. Meng et al [38] discussed some of the alerts found by the ASA; however, there were no numerical results on a larger subject program.…”

Section: Prioritization Results Discussionmentioning

confidence: 98%

“…Developers can focus their alert inspection activities on the alerts they are most likely to want to act on. Ten of the 21 studies use information about the alerts themselves to predict actionable alerts [6,21,22,31,32,34,35,38,40,45]. Six of the selected studies utilize information from the development history of a project to use the past to predict the future [6,22,31,32,45,55].…”

Section: Discussionmentioning

confidence: 99%

“…True negative classification (TN) [21,22,61]: Classifying an alert as unactionable when the alert is unactionable. False positive classification (FP) [21,22,34,61]: Classifying an alert as actionable when the alert is actually unactionable. False negative classification (FN) [21,22,34,61]: Classifying an alert as unactionable when the alert is actually actionable.…”

Section: Metrics For the Evaluation Of Classification Aaitmentioning

confidence: 99%

“…Additionally, when only considering the top 30 alerts, the precision of the fix-based prioritization is almost doubled, and in some cases tripled, from the tool's ordering of alerts. Objective: Kong et al [34] use data fusion to identify vulnerable code using alerts generated by ASAs focused on finding security vulnerabilities.…”

Section: 4)mentioning

confidence: 99%

See 3 more Smart Citations

A systematic literature review of actionable alert identification techniques for automated static code analysis

Heckman

Williams

2011

Information and Software Technology

122

View full text Add to dashboard Cite

a b s t r a c tContext: Automated static analysis (ASA) identifies potential source code anomalies early in the software development lifecycle that could lead to field failures. Excessive alert generation and a large proportion of unimportant or incorrect alerts (unactionable alerts) may cause developers to reject the use of ASA. Techniques that identify anomalies important enough for developers to fix (actionable alerts) may increase the usefulness of ASA in practice. Objective: The goal of this work is to synthesize available research results to inform evidence-based selection of actionable alert identification techniques (AAIT).Method: Relevant studies about AAITs were gathered via a systematic literature review. Results: We selected 21 peer-reviewed studies of AAITs. The techniques use alert type selection; contextual information; data fusion; graph theory; machine learning; mathematical and statistical models; or dynamic detection to classify and prioritize actionable alerts. All of the AAITs are evaluated via an example with a variety of evaluation metrics. Conclusion:The selected studies support (with varying strength), the premise that the effective use of ASA is improved by supplementing ASA with an AAIT. Seven of the 21 selected studies reported the precision of the proposed AAITs. The two studies with the highest precision built models using the subject program's history. Precision measures how well a technique identifies true actionable alerts out of all predicted actionable alerts. Precision does not measure the number of actionable alerts missed by an AAIT or how well an AAIT identifies unactionable alerts. Inconsistent use of evaluation metrics, subject programs, and ASAs in the selected studies preclude meta-analysis and prevent the current results from informing evidence-based selection of an AAIT. We propose building on an actionable alert identification benchmark for comparison and evaluation of AAIT from literature on a standard set of subjects and utilizing a common set of evaluation metrics.

show abstract

Section: Prioritization Results Discussionmentioning

confidence: 98%

Section: Discussionmentioning

confidence: 99%

Section: Metrics For the Evaluation Of Classification Aaitmentioning

confidence: 99%

Section: 4)mentioning

confidence: 99%

See 2 more Smart Citations

A systematic literature review of actionable alert identification techniques for automated static code analysis

Heckman

Williams

2011

Information and Software Technology

122

View full text Add to dashboard Cite

show abstract

“…А в последствии изначальное ранжирование изменяется на основе реакции пользователя в процессе инспекции предупреждений о дефектах. Из других методов стоит выделить ранжирование предупреждений на основе статического вычисления вероятности исполнения мест, для которых предупреждения даны [25], и ранжирование предупреждений на основе слияния результатов нескольких инструментов статического анализа [26,27].…”

Section: ранжированиеunclassified