vulnerability prediction models a case study on the linux
play

Vulnerability Prediction Models: A case study on the Linux Kernel - PowerPoint PPT Presentation

Sep 24, 2022 •120 likes •777 views

Vulnerability Prediction Models: A case study on the Linux Kernel Matthieu Jimenez Mike Papadakis Yves Le Traon Jimenez et al. Vulnerability Prediction Models: A Case Study on the Linux Kernel SCAM16 1 Slides: Matthieu

  1. Vulnerability Prediction Models: A case study on the Linux Kernel Matthieu Jimenez Mike Papadakis Yves Le Traon Jimenez et al. “Vulnerability Prediction Models: A Case Study on the Linux Kernel” SCAM’16 � 1 Slides: Matthieu Jimenez Thème: Sébastien Mosser

  2. Vulnerabilities ? � 2

  3. A vulnerability “An information security ‘ vulnerability’ is a mistake in a software that can be directly used by a hacker to gain access to a system or network.” ~ CVE - website ~ � 3

  4. Vulnerabilities are special More Important - Critical There are more bugs than vulnerabilities Uncovered differently - defects can be easily noticed, while vulnerabilities not. � 4

  5. Vulnerabilities are Web server used to remotely control the glassware-cleaning machine CVE for that… � 5

  6. Prediction Model ? � 6

  7. Prediction Models Models analysing current and historical events to make prediction about the future and/or unknown events ! � 7

  8. Vulnerability Prediction Model ? � 8

  9. Vulnerability Prediction Take advantage of the knowledge on some part of a software system and/ or previous releases � 9

  10. Vulnerability Prediction to automatically classify software entities as vulnerable or not ! � 10

  11. Software Entities ? � 11

  12. Granularity Possibility to work at : • module level • file level • function level •… � 12

  13. In this work , we stay at the file level ! � 13 *Morrison et al. “Challenges with applying vulnerability prediction models,” in HotSoS’15.

  14. GOAL � 14

  15. Replicating and comparing the main VPMs approaches on the same software system . � 15

  16. Replication … � 16

  17. Exact independent replication � 17

  18. Exact replication procedures of an experiment are followed as closely as possible e.g. here we replicate using the same machine learning settings � 18

  19. Independent replication deliberately vary one or more major aspects of the conditions of the experiment e.g. we use our dataset � 19

  20. Approaches … � 20

  21. #Include and f(n) calls � 21

  22. Include & Function calls Introduced by Neuhaus et al. at CCS’07 � 22

  23. Include & Function calls Introduced by Neuhaus et al. at CCS’07 Intuition : vulnerable files share similar set of imports and function calls � 23

  24. Include & Function calls Introduced by Neuhaus et al. at CCS’07 Intuition : vulnerable files share similar set of imports and function calls build a model based on either includes or function calls of a file . � 24

  25. Overview Preprocessing Learning Retrieve all include Include & function SVM with a linear and function calls of a calls kernel file 2 models are build � 25

  26. Software Metrics � 26

  27. Software Metrics Several works on using metrics to predict vulnerabilities , mostly by Shin et al. � 27

  28. Software Metrics Several works on using metrics to predict vulnerabilities , mostly by Shin et al. Software metrics are used in defect prediction build a model based software metrics (complexity, code churn, …) � 28

  29. Overview Preprocessing Learning Compute complexity metrics of each function (keeping sum, avg and max) Software Metrics Logistic regression code churn and the number of authors of every files. � 29

  30. Text Mining � 30

  31. Text Mining suggested by Scandariato et al. in 2014. � 31

  32. Text Mining suggested by Scandariato et al. in 2014. Aim : building a model requiring no human intuition for feature selection � 32

  33. Text Mining suggested by Scandariato et al. in 2014. Aim : building a model requiring no human intuition for feature selection build a model based on a bag of word extracted from a file � 33

  34. Overview Preprocessing Learning •Discretisation of the Creating a bag of features (making word (splitting the them boolean) code according to the •Remove of all Text mining language grammar) features considered for every files useless •Random Forest with 100 trees � 34

  35. Dataset � 35

  36. Introducing the dataset based on commit and not release � 36

  37. Introducing the dataset • CVE-NVD database as a source of vulnerabilities • Bugzilla as a source of bugs � 37

  38. Introducing the dataset •build automatically •with the latest data available •on the Linux Kernel � 38

  39. Overall dataset statistics 2006-June 2016 • 1,640 vulnerable files , accounting for 743 vulnerabilities • 4,900 buggy files related to 3,400 bug reports • more than 50,000 files in total � 39

  40. Research Questions • RQ1 . Can we distinguish between buggy and vulnerable files ? � 40

  41. Research Questions • RQ1 . Can we distinguish between buggy and vulnerable files ? • RQ2 . Can we distinguish between vulnerable and non vulnerable files ? � 41

  42. Research Questions • RQ1 . Can we distinguish between buggy and vulnerable files ? • RQ2 . Can we distinguish between vulnerable and non vulnerable files ? • RQ3 . Can we predict future vulnerable when using past data ? � 42

  43. Research Questions • RQ1 . Can we distinguish between buggy and vulnerable files ? • RQ2 . Can we distinguish between vulnerable and non vulnerable files ? • RQ3 . Can we predict future vulnerable when using past data ? ✦ Distinguish between buggy and vulnerable files ✦ Distinguish between vulnerable and non vulnerable files ? � 43 •

  44. Experimental Dataset * Buggy vs Vulnerable files � 44

  45. Experimental dataset Can we distinguish between buggy and vulnerable files ? • files related to bug report patches vs files from vulnerability patches • ratio 3.3 : 1 � 45

  46. Realistic Dataset * Vulnerable vs Non-Vulnerable files � 46

  47. Realistic dataset • Can we distinguish between Vulnerable and Non-Vulnerable files? • Reproduce observed ratio between different categories of files • 3% of (likely) vulnerable files • 47% of (likely) buggy files • 50% of clear files � 47

  48. Evaluation � 48

  49. RQ1 - Bugs vs Vulnerabilities 1.0 0.8 0.6 MCC 0.4 0.2 ● 0.0 Function Calls Includes Software Metrics Text Mining � 49

  50. RQ2 - Vulnerable vs Non- 1.0 0.8 ● ● ● 0.6 MCC 0.4 ● 0.2 ● 0.0 Function Calls Includes Software Metrics Text Mining � 50

  51. RQ3 Time - Bugs vs Precision Recall

  52. RQ3 Time - Bugs vs 1.00 ● Function Calls Includes Software Metrics Text Mining 0.75 mcc 0.50 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0.25 0.00 5 10 15 20 release

  53. RQ3 Time - Vulnerable vs Non- 1.00 1.00 ● ● ● ● ● ● ● ● 0.75 0.75 ● ● ● ● ● ● ● ● ● ● ● precision ● ● ● ● recall ● 0.50 0.50 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0.25 0.25 0.00 0.00 5 10 15 20 5 10 15 20 release release � 53

  54. RQ3 Time - Vulnerable vs 1.00 ● Function Calls Includes Software Metrics Text Mining 0.75 ● ● ● ● ● ● ● ● ● ● ● ● ● mcc ● ● ● ● ● ● ● 0.50 0.25 0.00 5 10 15 20 release

  55. Discussion - Findings � 55

  56. 1 VPM’s are working well with historical data � 56

  57. 2 Good precision observed even with unbalanced data � 57

  58. 3 In the practical case , the best trade off is in favour of include and function calls � 58

  59. 4 In the general case , or favouring precision the best one is text mining . � 59

  60. Previous studies Include and Function calls There is no comparison with Metrics or Text Mining There are no results related to time In the context of Linux We found Reported we have similar results… Precision 70% Precision 70% Recall 45% Recall 64% Neuhaus et al. “Predicting vulnerable software components” CCS’07. � 60

  61. Previous studies Software Metrics Reported 10 fold cross validation We found In the context of Linux Precision 3-5, 9, 2-52% Precision 65% Recall 87-90, 91, 66-79% Recall 22% there are significant differences… Reported results based on time We found Precision 3% Precision 42 : 39% Recall 79-85% Recall 16 : 24% Shin et al. “Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities” TSE ’11. Shinand et al. “Cantraditionalfaultpredictionmodelsbeused for vulnerability prediction?” ESE’ 13. Walden et al. “Predicting Vulnerable Components: Software Metrics vs Text Mining” ISSRE’14. � 61

  62. Previous studies Text Mining Reported We found 10 fold cross validation In the context of Linux Precision 90, 2-57% Precision 76% there are again Recall 77, 74-81% Recall 58% significant differences Reported results based on time We found Precision 86% Precision 74 : 93% Recall 77% Recall 37 : 27% Scandariato et al.“Predicting Vulnerable Software Components via Text Mining” TSE ’14. � 62 Walden et al. “Predicting Vulnerable Components: Software Metrics vs Text Mining” ISSRE’14.

  63. DataSet and Replication package and additional results will be available soon … Please contact Matthieu Jimenez ( Matthieu.Jimenez@uni.lu ) � 63

  64. Thank you for your attention ! � 64

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS 377: Operating Systems Linux Case Study Outline Linux History Design Principles A

CS 377: Operating Systems Linux Case Study Outline Linux History Design Principles A

CS 377: Operating Systems Linux Case Study Outline Linux History Design Principles A review of what youve System Overview learned, and how it Process Scheduling applies to a real Memory Management operating system File

245 views • 13 slides
Developing Risk Prediction Models Using Nested Case-Control Data 28 May 2015 Agus Salim ()

Developing Risk Prediction Models Using Nested Case-Control Data 28 May 2015 Agus Salim ()

Developing Risk Prediction Models Using Nested Case-Control Data 28 May 2015 Agus Salim () VicBiostat Seminar, 28 May 2015 1 / 40 Background Recently, there has been an explosion of prediction models developed to predict risk of various

414 views • 40 slides
Using Linux perf at Netflix Brendan Gregg Senior Performance Architect Sep 2017 Case Study: ZFS

Using Linux perf at Netflix Brendan Gregg Senior Performance Architect Sep 2017 Case Study: ZFS

Using Linux perf at Netflix Brendan Gregg Senior Performance Architect Sep 2017 Case Study: ZFS is ea/ng my CPU Easy to debug using Ne9lix Vector & flame graphs How I expected it to look: Case Study: ZFS is ea/ng my CPU (cont.)

796 views • 79 slides
Yemen's vulnerability communities: The case study of Sanaa, Water Environmental Center Team

Yemen's vulnerability communities: The case study of Sanaa, Water Environmental Center Team

Adapting to water scarcity for Yemen's vulnerability communities: The case study of Sanaa, Water Environmental Center Team Dr. Abdulla Noaman Dr. Mansour Haidera Dr. Saif Othman Dr. Khateeb Kebsi Dr. Abdulla Babaqi 1 Project background

817 views • 45 slides
Power Tuning Linux: A Case Study Alexandra Yates alexandra.yates@intel.com

Power Tuning Linux: A Case Study Alexandra Yates alexandra.yates@intel.com

Power Tuning Linux: A Case Study Alexandra Yates alexandra.yates@intel.com http://01.org/powertop 1 About Experiment 2 About Experiment Software Ubuntu 13.10: Includes Ubuntu Linux Kernel 3.11.0-12.19. Based on upstream Linux Kernel

463 views • 20 slides
Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has

Case study 2 Case study 2 Case study 2 Case study 2 Former Industrial Site, London: How has innovation helped to produce a cost effective remedial design? Challenging contaminant profile Taken a traditional / well understood remedial

910 views • 4 slides
Neural Network Models for Air Quality Prediction: A Comparative Study S V Barai A.K.Dikshit

Neural Network Models for Air Quality Prediction: A Comparative Study S V Barai A.K.Dikshit

Neural Network Models for Air Quality Prediction: A Comparative Study S V Barai A.K.Dikshit Sameer Sharma Department of Civil Engineering IIT Kharagpur Presentation Outline . Background on Neural Forecaster Objectives

1.01k views • 42 slides
Adaptive Regularization Algorithms in Learning Theory Case Study: Prediction of Blood Glucose

Adaptive Regularization Algorithms in Learning Theory Case Study: Prediction of Blood Glucose

Adaptive Regularization Algorithms in Learning Theory Case Study: Prediction of Blood Glucose Level Sergei V. Pereverzev, Sivananthan Sampath, Huajun Wang RICAM, Austria Joint research with E: De Vito (Uni. Genova), L. Rosasco (MIT,

764 views • 33 slides
Scientific Literature CEE 577 #41 1 NYC: Cannonsville Case Study CEE 577 #41 2

Scientific Literature CEE 577 #41 1 NYC: Cannonsville Case Study CEE 577 #41 2

Updated: 17 April 2013 Print version Lecture #41 TOC & THMFP Models II Scientific Literature CEE 577 #41 1 NYC: Cannonsville Case Study CEE 577 #41 2 Cannonsville Reservoir Study Algal & THM Precursor Models Doerr,

503 views • 32 slides
Conceptual and Concrete Architecture Linux Case Study Conceptual Architecture Intent

Conceptual and Concrete Architecture Linux Case Study Conceptual Architecture Intent

Conceptual and Concrete Architecture Linux Case Study Conceptual Architecture Intent direct attention at an appropriate decomposition of the system without delving into the details of interface specification [1]

451 views • 21 slides
An Empirical Study on the Use of Defect U N I VE R SI TY OF WASHI N G TON Prediction for Test

An Empirical Study on the Use of Defect U N I VE R SI TY OF WASHI N G TON Prediction for Test

D AVID PATERSON, U N I VE RSI TY O F S HE FFI ELD JOSE CAMPOS, An Empirical Study on the Use of Defect U N I VE R SI TY OF WASHI N G TON Prediction for Test Case Prioritization RUI ABREU, U N I VE R SI TY OF LI SB ON GREGORY M. KAPFHAMMER,

611 views • 44 slides
Sampling Effect on Performance Prediction of Configurable Systems : A Case Study Juliana Alves

Sampling Effect on Performance Prediction of Configurable Systems : A Case Study Juliana Alves

Sampling Effect on Performance Prediction of Configurable Systems : A Case Study Juliana Alves Pereira, Mathieu Acher, Hugo Martin, Jean-Marc Jezequel 1 Configurable systems Pros Adaptive Lots of options Cons Lots of

491 views • 17 slides
Referential scales and differential case marking: A study using hierarchical models in Bayesian

Referential scales and differential case marking: A study using hierarchical models in Bayesian

Referential scales and differential case marking: A study using hierarchical models in Bayesian phylogenetics Gerhard Jger Tbingen University 13th Conference of the Association for Linguistic Typology Pavia, September 4, 2019 Case

527 views • 38 slides
Theories and Models of Language Change Case Study II: Phonological Reduction A Usage-based

Theories and Models of Language Change Case Study II: Phonological Reduction A Usage-based

Roland Mhlenbernd Review Priming Case Study I: From Space to Time Theories and Models of Language Change Case Study II: Phonological Reduction A Usage-based Account of Directional Change Session 10: Priming Remaining Issues Conclusion

461 views • 30 slides
Overview Evolution in Open Source Software: What is software evolution? A Case Study Why

Overview Evolution in Open Source Software: What is software evolution? A Case Study Why

Overview Evolution in Open Source Software: What is software evolution? A Case Study Why should we care? Previous research Michael W. Godfrey A case study: The Linux OS kernel Qiang Tu Observations, hypotheses, and future

179 views • 6 slides
A case study on using generalized additive models to fit credit rating scores Marlene Mller,

A case study on using generalized additive models to fit credit rating scores Marlene Mller,

A case study on using generalized additive models to fit credit rating scores Marlene Mller, marlene.mueller@itwm.fraunhofer.de This version: July 8, 2009, 14:32 Contents Application: Credit Rating Aim of this Talk Case Study German

574 views • 45 slides
Viden: iden: Attac acker er Ident dentif ifica ication ion on on In- n- Vehic ehicle

Viden: iden: Attac acker er Ident dentif ifica ication ion on on In- n- Vehic ehicle

Viden: iden: Attac acker er Ident dentif ifica ication ion on on In- n- Vehic ehicle le Net Networ orks ks Kyong-Tak Cho and Kang G. Shin 1 Cont ontent ent Mo%va%on CAN Viden Evalua%on Drawback Future Work 2

448 views • 27 slides
Programming by Examples Sumit Gulwani ECML/PKDD Conference Microsoft Sep 2019 Example-based

Programming by Examples Sumit Gulwani ECML/PKDD Conference Microsoft Sep 2019 Example-based

Programming by Examples Sumit Gulwani ECML/PKDD Conference Microsoft Sep 2019 Example-based help-forum interaction 300_w30_aniSh_c1_b w30 300_w5_aniSh_c1_b w5 =MID(B1,5,2) =MID(B1,5,2) =MID(B1,FIND(_,$B:$B)+1,

626 views • 24 slides
MOBISYS 2011 MOBISYS 2011 The 9th International Conference on Mobile System, Applications, and

MOBISYS 2011 MOBISYS 2011 The 9th International Conference on Mobile System, Applications, and

MOBISYS 2011 MOBISYS 2011 The 9th International Conference on Mobile System, Applications, and Services Tracing a Missing Mobile Phone using Daily Observations Hyojeong Shin*, Yohan Chon, Kwanghyo Park, Hojung Cha Hyojeong Shin

522 views • 24 slides
Introd u ction to the NASA fireball data set BU IL D IN G DASH BOAR D S W ITH SH IN YDASH BOAR

Introd u ction to the NASA fireball data set BU IL D IN G DASH BOAR D S W ITH SH IN YDASH BOAR

Introd u ction to the NASA fireball data set BU IL D IN G DASH BOAR D S W ITH SH IN YDASH BOAR D L u c y D ' Agostino McGo w an Postdoctoral fello w in Biostatistics at Johns Hopkins Uni v ersit y Data backgro u nd 1 h ps :// cneos . jpl .

174 views • 14 slides
JANUS: Fast and Flexible Deep Learning via Symbolic Graph Execution of Imperative Programs Eunji

JANUS: Fast and Flexible Deep Learning via Symbolic Graph Execution of Imperative Programs Eunji

JANUS: Fast and Flexible Deep Learning via Symbolic Graph Execution of Imperative Programs Eunji Jeong , Sungwoo Cho, Gyeong-In Yu, Joo Seong Jeong, Dong-Jin Shin, Byung-Gon Chun Demo 1 Introduction Challenge Solution Results Deep Neural

452 views • 21 slides
4nterconnect !assan Wassel 6 7 Mohit !iwari 6 7 9onathan :alamehr ; 7 <u>e !heogara@an ; 7

4nterconnect !assan Wassel 6 7 Mohit !iwari 6 7 9onathan :alamehr ; 7 <u>e !heogara@an ; 7

!owards Chip-scale 1lasmonic 4nterconnect !assan Wassel 6 7 Mohit !iwari 6 7 9onathan :alamehr ; 7 <u>e !heogara@an ; 7 9enniAer Bionne C 7 Drederic Chong 6 and !imothy Sherwood 6 6 Computer Science G HC Santa Iarbara ; Klectrical and

789 views • 20 slides
DECISION-CTO Optimal Medical Therapy With or Without Stenting For Coronary Chronic Total

DECISION-CTO Optimal Medical Therapy With or Without Stenting For Coronary Chronic Total

DECISION-CTO Optimal Medical Therapy With or Without Stenting For Coronary Chronic Total Occlusion Seung-Jung Park, MD., PhD. Heart Institute, University of Ulsan College of Medicine Asan Medical Center, Seoul, Korea Background Benefits of

481 views • 37 slides
Healthcare Association of New York State www.hanys.org Federal HIT Issues Update Latest from

Healthcare Association of New York State www.hanys.org Federal HIT Issues Update Latest from

Healthcare Association of New York State www.hanys.org Federal HIT Issues Update Latest from Capitol Hill Legislative efforts to address MU AMA pushing for blanket hardship exemption from penalty for 2015 performance (2017

573 views • 9 slides

More recommend