Write a Blog >>
ASE 2021
Sun 14 - Sat 20 November 2021 Australia
Thu 18 Nov 2021 11:20 - 11:40 at Kangaroo - Vulnerability Chair(s): Xusheng Xiao

It is increasingly suggested to identify Software Vulnerabilities (SVs) in code commits to give early warnings about potential security risks. However, there is a lack of effort to assess vulnerability-contributing commits right after they are detected to provide timely information about the exploitability, impact and severity of SVs. Such information is important to plan and prioritize the mitigation for the identified SVs. We propose a novel Deep multi-task learning model, DeepCVA, to automate seven Commit-level Vulnerability Assessment tasks simultaneously based on Common Vulnerability Scoring System (CVSS) metrics. We conduct large-scale experiments on 1,229 vulnerability-contributing commits containing 542 different SVs in 246 real-world software projects to evaluate the effectiveness and efficiency of our model. We show that DeepCVA is the best-performing model with 38% to 59.8% higher Matthews Correlation Coefficient than many supervised and unsupervised baseline models. DeepCVA also requires 6.3 times less training and validation time than seven cumulative assessment models, leading to significantly less model maintenance cost as well. Overall, DeepCVA presents the first effective and efficient solution to automatically assess SVs early in software systems.

Thu 18 Nov

Displayed time zone: Hobart change

11:00 - 12:00
VulnerabilityResearch Papers at Kangaroo
Chair(s): Xusheng Xiao Case Western Reserve University
11:00
20m
Talk
Finding A Needle in a Haystack: Automated Mining of Silent Vulnerability Fixes
Research Papers
Jiayuan Zhou Centre for Software Excellence, Huawei, Canada, Michael Pacheco Centre for Software Excellence, Huawei, Zhiyuan Wan Zhejiang University, Xin Xia Huawei Software Engineering Application Technology Lab, David Lo Singapore Management University, Yuan Wang Huawei Sweden Research Center, Ahmed E. Hassan Queen's University
11:20
20m
Talk
DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning
Research Papers
Triet Le Huynh Minh The University of Adelaide, David Hin The University of Adelaide, Roland Croft The University of Adelaide, Muhammad Ali Babar University of Adelaide
Pre-print