###
Journal of Software:2020.31(5):1294-1313

基于深度学习的安全缺陷报告预测方法实证研究
郑炜,陈军正,吴潇雪,陈翔,夏鑫
(西北工业大学 软件学院, 陕西 西安 710072;空天地海一体化大数据应用技术国家工程实验室(西北工业大学), 陕西 西安 710072;大数据存储与管理工业和信息化部重点实验室(西北工业大学), 陕西 西安 710072;西北工业大学 自动化学院, 陕西 西安 710072;西北工业大学 软件学院, 陕西 西安 710072;南通大学 信息科学技术学院, 江苏 南通 226019;Faculty of Information Technology, Monash University, Melbourne, VIC 3800, Australia)
Empirical Studies on Deep-learning-based Security Bug Report Prediction Methods
ZHENG Wei,CHEN Jun-Zheng,WU Xiao-Xue,CHEN Xiang,XIA Xin
(School of Software, Northwestern Polytechnical University, Xi'an 710072, China;National Engineering Laboratory for Integrated Aero-Space-Ground-Ocean Big Data Application Technology (Northwestern Polytechnical University), Xi'an 710072, China;Key Laboratory of Big Data Storage and Management (Northwestern Polytechnical University), Ministry of Industry and Information Technology, Xi'an 710172, China;School of Automation, Northwestern Polytechnical University, Xi'an 710072, China;School of Software, Northwestern Polytechnical University, Xi'an 710072, China;School of Information Science and Technology, Nantong University, Nantong 226019, China;Faculty of Information Technology, Monash University, Melbourne, VIC 3800, Australia)
Abstract
Chart / table
Reference
Similar Articles
Article :Browse 1110   Download 273
Received:August 31, 2019    Revised:October 24, 2019
> 中文摘要: 软件安全问题的发生在大多数情况下会造成非常严重的后果,及早发现安全问题,是预防安全事故的关键手段之一.安全缺陷报告预测可以辅助开发人员及早发现被测软件中潜藏的安全缺陷,从而尽早得以修复.然而,由于安全缺陷在实际项目中的数量较少,而且特征复杂(即安全缺陷类型繁多,不同类型安全缺陷特征差异性较大),这使得手工提取特征相对困难,并随后造成传统机器学习分类算法在安全缺陷报告预测性能方面存在一定的瓶颈.针对该问题,提出基于深度学习的安全缺陷报告预测方法,采用深度文本挖掘模型TextCNN和TextRNN构建安全缺陷报告预测模型;针对安全缺陷报告文本特征,使用Skip-Gram方式构建词嵌入矩阵,并借助注意力机制对TextRNN模型进行优化.所构建的模型在5个不同规模的安全缺陷报告数据集上展开了大规模实证研究,实证结果表明,深度学习模型在80%的实验案例中都优于传统机器学习分类算法,性能指标F1-score平均可提升0.258,在最好的情况下甚至可以提升0.535.此外,针对安全缺陷报告数据集存在的类不均衡问题,对不同采样方法进行了实证研究,并对结果进行了分析.
Abstract:The occurrence of software security issues can cause serious consequences in most cases. Early detection of security issues is one of the key measures to prevent security incidents. Security bug report prediction (SBR) can help developers identify hidden security issues in the bug tracking system and fix them as early as possible. However, since the number of security bug reports in real software projects is small, and the features are complex (i.e., there are many types of security vulnerabilities with different types of features), this makes the manual extraction of security features relatively difficult and lead to low accuracy of security bug report prediction with traditional machine learning classification algorithms. To solve this problem, a deep-learning-based security bug report prediction method is proposed. The text mining models TextCNN and TextRNN via deep learning are used to construct security bug report prediction models. For extracting textual features of security bug reports, the Skip-Gram method is used to construct a word embedding matrix. The constructed model has been empirically evaluated on five classical security bug report datasets with different scales. The results show that the deep learning model is superior to the traditional machine learning classification algorithm in 80% of the experimental cases, and the performance of the constructed models can improve 0.258 on average and 0.535 at most in terms of F1-score performance measure. Furthermore, different re-sampling strategies are applied to deal with class imbalance problem in gathered SBR prediction datasets, and the experiment results are discussed.
文章编号:     中图分类号:    文献标志码:
基金项目:陕西省工业科技攻关项目(2015GY073);陕西省重点研发计划(2019GY-057) 陕西省工业科技攻关项目(2015GY073);陕西省重点研发计划(2019GY-057)
Foundation items:Industrial Science and Technology Plan of Shaanxi Province (2015GY073); Key Research and Development Program of Shaanxi Province (2019GY-057)
Reference text:

郑炜,陈军正,吴潇雪,陈翔,夏鑫.基于深度学习的安全缺陷报告预测方法实证研究.软件学报,2020,31(5):1294-1313

ZHENG Wei,CHEN Jun-Zheng,WU Xiao-Xue,CHEN Xiang,XIA Xin.Empirical Studies on Deep-learning-based Security Bug Report Prediction Methods.Journal of Software,2020,31(5):1294-1313