On the Feasibility of Supervised Machine Learning for the Detection of Malicious Software Packages

Ohm, Marc; Boes, Felix; Bungartz, Christian; Meier, Michael

doi:10.1145/3538969.3544415

Cited by 8 publications

(2 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several other OSS malware detection tools exist but were excluded from the study either because the tool had unavailable source code, did not use anomaly-based analysis, or lacked published detection rules. Also, there are OSS malware detection tools designed for other programming language ecosystems (e.g., [54] for npm) that could potentially be used, after engineering modifications, to analyze PyPI packages. Future evaluations could therefore benchmark more and different OSS malware detection tools.…”

Section: Threats To Validitymentioning

confidence: 99%

Bad Snakes: Understanding and Improving Python Package Index Malware Scanning

Newman

Meyers

2023

2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Open-source, community-driven package repositories see thousands of malware packages each year, but do not currently run automated malware detection systems. In this work, we explore the security goals of the repository administrators and the requirements for deploying such malware scanners via a case study of the Python ecosystem and PyPI repository, including interviews with administrators and maintainers. Further, we evaluate existing malware detection techniques for deployment in this setting by creating a benchmark dataset and comparing several existing tools: the malware checks implemented in PyPI, Bandit4Mal, and OSSGadget's OSS Detect Backdoor.We find that repository administrators have exacting requirements for such malware detection tools. Specifically, they consider a false positive rate of even 0.1% to be unacceptably high, given the large number of package releases that might trigger false alerts. Measured tools have false positive rates between 15% and 97%; increasing thresholds for detection rules to reduce this rate renders the true positive rate useless.While automated tools are far from reaching these demands, we find that a socio-technical malware detection system has emerged to meet these needs: external security researchers perform repository malware scans, filter for useful results, and report the results to repository administrators. These parties face different incentives and constraints on their time and tooling. We conclude with recommendations for improving detection capabilities and strengthening the collaboration between security researchers and software repository administrators.

show abstract

Section: Threats To Validitymentioning

confidence: 99%

Bad Snakes: Understanding and Improving Python Package Index Malware Scanning

Newman

Meyers

2023

2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…Approach: We use our set of 9 package attributes (Section 3) to train a random forest model to predict the adoption delay of the fix. We use random forest because it is known to offer a good balance between performance and interpretability and is commonly used in software engineering research [15], [43]. When feeding the vulnerability instances to the model, we use the latest vulnerable dependency relationship for each downstream dependent.…”

Section: Rq2: How Can We Identify Packages That Quickly Mitigate Vuln...mentioning

confidence: 99%

Dependency Smells in JavaScript Projects

Jafari

Costa

Shihab

et al. 2022

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Relying on dependency packages accelerates software development, but it also increases the exposure to security vulnerabilities that may be present in dependencies. While developers have full control over which dependency packages (and which version) they use, they have no control over the dependencies of their dependencies. Such transitive dependencies, which often amount to a greater number than direct dependencies, can become infected with vulnerabilities and put software projects at risk. To mitigate this risk, Practitioners need to select dependencies that respond quickly to vulnerabilities to prevent the propagation of vulnerable code to their project. To identify such dependencies, we analyze more than 450 vulnerabilities in the npm ecosystem to understand why dependent packages remain vulnerable. We identify over 200,000 npm packages that are infected through their dependencies and use 9 features to build a prediction model that identifies packages that quickly adopt the vulnerability fix and prevent further propagation of vulnerabilities. We also study the relationship between these features and the response speed of vulnerable packages. We complement our work with a practitioner survey to understand the applicability of our findings. Developers can incorporate our findings into their dependency management practices to mitigate the impact of vulnerabilities from their dependency supply chain.

show abstract