Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation (ICSE 2023 - Technical Track)

Who

Jiamou Sun, Zhenchang Xing, Qinghua Lu, Xiwei (Sherry) Xu, Liming Zhu, Thong Hoang, Dehai Zhao

Track

ICSE 2023 Technical Track

Time Zone

The program is currently displayed in (GMT+10:00) Hobart.

Use conference time zone: (GMT+10:00) HobartSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Fri 19 May 2023 15:45 - 16:00 at Meeting Room 105 - Vulnerability testing and patching Chair(s): Cristian Cadar

Abstract

Due to convenience, open-source software is widely used. For beneficial reasons, open-source maintainers often fix the vulnerabilities silently, exposing their users unaware of the updates to threats. Previous works all focus on black-box binary detection of the silent dependency alerts that suffer from high false-positive rates. Open-source software users need to analyze and explain AI prediction themselves. Explainable AI becomes remarkable as a complementary of black-box AI models, providing details in various forms to explain AI decisions. Noticing there is still no technique that can discover silent dependency alert on time, in this work, we propose a framework using an encoder-decoder model with a binary detector to provide explainable silent dependency alert prediction. Our model generates 4 types of vulnerability key aspects including vulnerability type, root cause, attack vector, and impact to enhance the trustworthiness and users’ acceptance to alert prediction. By experiments with several models and inputs, we confirm CodeBERT with both commit messages and code changes achieves the best results. Our user study shows that explainable alert predictions can help users find silent dependency alert more easily than black-box predictions. To the best of our knowledge, this is the first research work on the application of Explainable AI in silent dependency alert prediction, which opens the door of the related domains.

Jiamou Sun

CSIRO's Data61

Zhenchang Xing

Qinghua Lu

CSIRO’s Data61

Australia

Xiwei (Sherry) Xu

CSIRO’s Data61

Australia

Liming Zhu

CSIRO’s Data61

Australia

Thong Hoang

Data61, CSIRO

Australia

Dehai Zhao

Australian National University, Australia

Australia

Time Zone

The program is currently displayed in (GMT+10:00) Hobart.

Use conference time zone: (GMT+10:00) HobartSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Fri 19 May
Displayed time zone: Hobart change

15:45 - 17:15	Vulnerability testing and patchingTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105 Chair(s): Cristian Cadar Imperial College London, UK

15:45 15m Talk		Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation Technical Track Jiamou Sun CSIRO's Data61, Zhenchang Xing , Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61, Thong Hoang Data61, CSIRO, Dehai Zhao Australian National University, Australia
16:00 15m Talk		Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects Technical Track Lyuye Zhang Nanyang Technological University, Chengwei Liu Nanyang Technological University, Singapore, Zhengzi Xu Nanyang Technological University, Sen Chen Tianjin University, Lingling Fan Nankai University, Lida Zhao Nanyang Technological University, Wu Jiahui Nanyang Technological University, Yang Liu Nanyang Technological University
16:15 15m Talk		Automated Black-box Testing of Mass Assignment Vulnerabilities in RESTful APIs Technical Track Davide Corradini University of Verona, Michele Pasqua University of Verona, Mariano Ceccato University of Verona Pre-print
16:30 7m Talk		Patchmatch: A Tool for Locating Patches of Open Source Project Vulnerabilities DEMO - Demonstrations Kedi Shen Zhejiang university city college, Yun Zhang Zhejiang University City College, Lingfeng Bao Zhejiang University, Zhiyuan Wan Zhejiang University, Zhuorong Li Zhejiang university city college, Minghui Wu Zhejiang University City College}
16:37 8m Talk		Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats Journal-First Papers Giorgio Di Tizio University of Trento, Michele Armellini University of Trento, Fabio Massacci University of Trento; Vrije Universiteit Amsterdam
16:45 7m Talk		SSPCatcher: Learning to Catch Security Patches Journal-First Papers Arthur D. Sawadogo Université du Québec à Montréal, Tegawendé F. Bissyandé SnT, University of Luxembourg, Naouel Moha École de Technologie Supérieure (ETS), Kevin Allix CentraleSupelec Rennes, Jacques Klein University of Luxembourg, Li Li Beihang University, Yves Le Traon University of Luxembourg, Luxembourg
16:52 15m Talk		CoLeFunDa: Explainable Silent Vulnerability Fix Identification Technical Track Jiayuan Zhou Huawei, Michael Pacheco Centre for Software Excellence, Huawei, Jinfu Chen Centre for Software Excellence, Huawei, Canada, Xing Hu Zhejiang University, Xin Xia Huawei, David Lo Singapore Management University, Ahmed E. Hassan Queen’s University