Towards Vulnerability Types Classification Using Pure Self-Attention: A Common Weakness Enumeration Based Approach

Wang, Tianyi; Qin, Shengzhi; Chow, Kam-Pui

doi:10.1109/cse53436.2021.00030

Cited by 9 publications

(5 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…1. BERT models pre-trained on natural language (i.e., BERT-base (Devlin et al, 2019)), which have been adopted for CWE classification tasks (Das et al, 2021;Wang et al, 2021). 2.…”

Section: Resultsmentioning

confidence: 99%

“…The pre-trained BERT-based language models are selected because previous studies such as Wang et al (2021) and Zhu et al (2022) have used them to achieve promising results on the CWE-ID classification tasks. The Random Forest and Naive Bayes models are selected because they are important machine learning-based methods for CWE-ID classification tasks proposed in previous studies.…”

Section: Resultsmentioning

confidence: 99%

“…Aghaei et al (2020) proposed ThreatZoom, a Hierarchical Neural Network that considers the hierarchical nature of CWE-ID. Wang et al (2021) leveraged the BERT architecture to learn textual features through the self-attention mechanism.…”

Section: Ml-based Vulnerability Type Classificationmentioning

confidence: 99%

See 2 more Smart Citations

AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

Fu,

Tantithamthavorn,

et al. 2023

Empir Software Eng

View full text Add to dashboard Cite

Many Machine Learning(ML)-based approaches have been proposed to automatically detect, localize, and repair software vulnerabilities. While ML-based methods are more effective than program analysis-based vulnerability analysis tools, few have been integrated into modern Integrated Development Environments (IDEs), hindering practical adoption. To bridge this critical gap, we propose in this article AIBugHunter, a novel Machine Learning-based software vulnerability analysis tool for C/C++ languages that is integrated into the Visual Studio Code (VS Code) IDE. AIBugHunter helps software developers to achieve real-time vulnerability detection, explanation, and repairs during programming. In particular, AIBugHunter scans through developers’ source code to (1) locate vulnerabilities, (2) identify vulnerability types, (3) estimate vulnerability severity, and (4) suggest vulnerability repairs. We integrate our previous works (i.e., LineVul and VulRepair) to achieve vulnerability localization and repairs. In this article, we propose a novel multi-objective optimization (MOO)-based vulnerability classification approach and a transformer-based estimation approach to help AIBugHunter accurately identify vulnerability types and estimate severity. Our empirical experiments on a large dataset consisting of 188K+ C/C++ functions confirm that our proposed approaches are more accurate than other state-of-the-art baseline methods for vulnerability classification and estimation. Furthermore, we conduct qualitative evaluations including a survey study and a user study to obtain software practitioners’ perceptions of our AIBugHunter tool and assess the impact that AIBugHunter may have on developers’ productivity in security aspects. Our survey study shows that our AIBugHunter is perceived as useful where 90% of the participants consider adopting our AIBugHunter during their software development. Last but not least, our user study shows that our AIBugHunter can enhance developers’ productivity in combating cybersecurity issues during software development. AIBugHunter is now publicly available in the Visual Studio Code marketplace.

show abstract

“…1. BERT models pre-trained on natural language (i.e., BERT-base (Devlin et al, 2019)), which have been adopted for CWE classification tasks (Das et al, 2021;Wang et al, 2021). 2.…”

Section: Resultsmentioning

confidence: 99%

Section: Resultsmentioning

confidence: 99%

See 1 more Smart Citation

AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

Fu,

Tantithamthavorn,

et al. 2023

Empir Software Eng

View full text Add to dashboard Cite

show abstract

“…The technique which appears the most efficient relies on CWE's technical impact and scope. In parallel, several AI-based techniques exist in the literature [6,11,20,21] to map CVE with CWE; all based more or less on text processing.…”

Section: Mapping Common Vulnerability Exposures (Cve) and Stridementioning

confidence: 99%

“…According to Lovelss, up to 25% (missing, need details, inclusion) of CVE may not have corresponding CWE and consequently Honkaranta et al 's method is inapplicable. To fill this gap, numerous articles [6,11,20,21] propose AI-based solutions to map CVE to CWE. However, none of them made their program, algorithm, or source code available.…”

Section: [ T H R E a T ]mentioning

confidence: 99%

Automated ICS template for STRIDE Microsoft Threat Modeling Tool

Da Silva,

Puys,

Thevenon

et al. 2023

Proceedings of the 18th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Industrial Control Systems (ICS) are specific systems that combine information technology (IT) and operational technology (OT). Due to their interconnection and remote accessibility, they become a target for cyberattacks. As a result of their complexity and heterogeneity in terms of devices and communication protocols, specific security controls and risk analysis methods need to be developed. In particular, in order to reduce the effort of deployment of risk analysis on such complex systems, automated methods need to be provided. This paper deals with automation of the risk identification process for ICS using the STRIDE threat modeling framework. We extend the well-known STRIDE modeling tool, namely Microsoft Threat Modeling Tool (MTMT), with an incremental template dedicated to ICS and provide additional tools to automate the analysis using specific vulnerability extraction from Internet CVE databases.

show abstract

A Survey on Hardware Vulnerability Analysis Using Machine Learning

Pan

Mishra

2022

IEEE Access

View full text Add to dashboard Cite

Electronic systems rely on efficient hardware, popularly known as system-on-chip (SoC), to support its core functionalities. A typical SoC consists of diverse components gathered from third-party vendors to reduce SoC design cost and meet time-to-market constraints. Unfortunately, the participation of third-party companies in global supply chain introduces potential security vulnerabilities. There is a critical need to efficiently detect and mitigate hardware vulnerabilities. Machine learning has been successfully used in hardware security verification as well as development of effective countermeasures. There are recent surveys on hardware Trojan detection using machine learning. To the best of our knowledge, there are no comprehensive surveys on utilization of machine learning techniques for detection and mitigation of a wide variety of hardware vulnerabilities including malicious implants (e.g., hardware Trojans), sidechannel leakage, reverse engineering, and supply-chain vulnerabilities (e.g., counterfeiting, overbuilding and recycling). In this paper, we provide a comprehensive survey of hardware vulnerability analysis using machine learning techniques. Specifically, we discuss how existing approaches effectively utilize machine learning algorithms for hardware security verification using simulation-based validation, formal verification as well as side-channel analysis.

show abstract

Towards Vulnerability Types Classification Using Pure Self-Attention: A Common Weakness Enumeration Based Approach

Cited by 9 publications

References 22 publications

AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

Automated ICS template for STRIDE Microsoft Threat Modeling Tool

A Survey on Hardware Vulnerability Analysis Using Machine Learning

Contact Info

Product

Resources

About