Chronos: Time-Aware Zero-Shot Identification of Libraries from Vulnerability Reports
Thu 18 May 2023 15:19 - 15:21 at Meeting Room 105 - Posters 2
Tools that alert developers about library vulnerabilities depend on accurate, up-to-date vulnerability databases which are maintained by security researchers. These databases record the libraries related to each vulnerability. However, the vulnerability reports may not explicitly list every library and human analysis is required to determine all the relevant libraries. Human analysis may be slow and expensive, which motivates the need for automated approaches. Researchers and practitioners have proposed to automatically identify libraries from vulnerability reports using extreme multi-label learning (XML).
While state-of-the-art XML techniques showed promising performance, their experiment settings do not practically fit what happens in reality. Previous studies randomly split the vulnerability reports data for training and testing their models without considering the chronological order of the reports. This may unduly train the models on chronologically newer reports while testing the models on chronologically older ones. However, in practice, one often receives chronologically new reports, which may be related to previously unseen libraries. Under this practical setting, we observe that the performance of current XML techniques declines substantially, e.g., F1 decreased from 0.7 to 0.24 under experiments without and with consideration of chronological order of vulnerability reports.
We propose a practical library identification approach, namely CHRONOS, based on zero-shot learning. The novelty of CHRONOS is three-fold. First, CHRONOS fits into the practical pipeline by considering the chronological order of vulnerability reports. Second, CHRONOS enriches the data of the vulnerability descrip- tions and labels using a carefully designed data enhancement step. Third, CHRONOS exploits the temporal ordering of the vulnerability reports using a cache to prioritize prediction of versions of libraries that recently had reports of vulnerabilities.
In our experiments, CHRONOS achieves an average F1-score of 0.75, 3x better than the best XML-based approach. Data enhancement and the time-aware adjustment improve CHRONOS over the vanilla zero-shot learning model by 27% in average F1.
Wed 17 MayDisplayed time zone: Hobart change
15:45 - 17:15 | Vulnerability analysis and assessmentTechnical Track / Journal-First Papers / DEMO - Demonstrations at Meeting Room 105 Chair(s): Xiaoyin Wang University of Texas at San Antonio | ||
15:45 15mTalk | Chronos: Time-Aware Zero-Shot Identification of Libraries from Vulnerability Reports Technical Track Yunbo Lyu Singapore Management University, Le-Cong Thanh The University of Melbourne, Hong Jin Kang UCLA, Ratnadira Widyasari Singapore Management University, Singapore, Zhipeng Zhao Singapore Management University, Xuan-Bach D. Le University of Melbourne, Ming Li Nanjing University, David Lo Singapore Management University Pre-print | ||
16:00 15mTalk | Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem Technical Track Yulun Wu Huazhong University of Science and Technology, Zeliang Yu Huazhong University of Science and Technology, Ming Wen Huazhong University of Science and Technology, Qiang Li Huazhong University of Science and Technology, Deqing Zou Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology Pre-print | ||
16:15 15mTalk | SecBench.js: An Executable Security Benchmark Suite for Server-Side JavaScript Technical Track Masudul Hasan Masud Bhuiyan CISPA Helmholtz Center for Information Security, Adithya Srinivas Parthasarathy Indian Institute of Information Technology, Design and Manufacturing, Kancheepuram, Nikos Vasilakis Massachusetts Institute of Technology, Michael Pradel University of Stuttgart, Cristian-Alexandru Staicu CISPA Helmholtz Center for Information Security Pre-print | ||
16:30 15mTalk | On Privacy Weaknesses and Vulnerabilities in Software Systems Technical Track Pattaraporn Sangaroonsilp University of Wollongong, Hoa Khanh Dam University of Wollongong, Aditya Ghose University of Wollongong | ||
16:45 7mTalk | A Multi-faceted Vulnerability Searching Website Powered by Aspect-level Vulnerability Knowledge Graph DEMO - Demonstrations Jiamou Sun CSIRO's Data61, Zhenchang Xing CSIRO’s Data61; Australian National University, Qinghua Lu CSIRO’s Data61, Xiwei (Sherry) Xu CSIRO’s Data61, Liming Zhu CSIRO’s Data61 | ||
16:52 7mTalk | An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities Journal-First Papers Imen Sayar IRIT, University of Toulouse, IUT Blagnac Toulouse II, 1 Place Georges Brassens, Blagnac Cedex, France, 31703, Alexandre Bartel Umeå University, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Yves Le Traon University of Luxembourg, Luxembourg | ||
17:00 7mTalk | Blindspots in Python and Java APIs Result in Vulnerable Code Journal-First Papers Yuriy Brun University of Massachusetts, Tian Lin University of Florida, Jessie Elise Somerville University of Florida, Elisha M. Myers Florida Atlantic University, Natalie C. Ebner University of Florida Link to publication DOI Pre-print Media Attached | ||