Visible to the public Challenging Machine Learning Algorithms in Predicting Vulnerable JavaScript Functions

TitleChallenging Machine Learning Algorithms in Predicting Vulnerable JavaScript Functions
Publication TypeConference Paper
Year of Publication2019
AuthorsFerenc, Rudolf, Heged\H us, Péter, Gyimesi, Péter, Antal, Gábor, Bán, Dénes, Gyimóthy, Tibor
Conference Name2019 IEEE/ACM 7th International Workshop on Realizing Artificial Intelligence Synergies in Software Engineering (RAISE)
ISBN Number978-1-7281-2272-4
Keywordschallenging machine, code fixing patches, code metrics, Computer crime, cyber-crime activities, Databases, dataset, deep learnin, Deep Learning, extensive grid-search algorithm, F-measure, forest based classifiers, GitHub, Java, JavaScript, JavaScript programs, learning (artificial intelligence), machie learning, machine learning, machine learning algorithms, Measurement, Metrics, mitigation techniques, natural language processing, nearest neighbour methods, node security project, pattern classification, performing algorithm, performing models, Prediction algorithms, prediction models, Predictive models, predictive security metrics, pubcrawl, public databases, re-sampling strategies, security, security vulnerabilities, Snyk platform, software metrics, software security issues, static source code metrics, Support vector machines, SVM, viable practical approach, Vulnerability, vulnerability information, vulnerable components, vulnerable functions, vulnerable javascript functions

The rapid rise of cyber-crime activities and the growing number of devices threatened by them place software security issues in the spotlight. As around 90% of all attacks exploit known types of security issues, finding vulnerable components and applying existing mitigation techniques is a viable practical approach for fighting against cyber-crime. In this paper, we investigate how the state-of-the-art machine learning techniques, including a popular deep learning algorithm, perform in predicting functions with possible security vulnerabilities in JavaScript programs. We applied 8 machine learning algorithms to build prediction models using a new dataset constructed for this research from the vulnerability information in public databases of the Node Security Project and the Snyk platform, and code fixing patches from GitHub. We used static source code metrics as predictors and an extensive grid-search algorithm to find the best performing models. We also examined the effect of various re-sampling strategies to handle the imbalanced nature of the dataset. The best performing algorithm was KNN, which created a model for the prediction of vulnerable functions with an F-measure of 0.76 (0.91 precision and 0.66 recall). Moreover, deep learning, tree and forest based classifiers, and SVM were competitive with F-measures over 0.70. Although the F-measures did not vary significantly with the re-sampling strategies, the distribution of precision and recall did change. No re-sampling seemed to produce models preferring high precision, while re-sampling strategies balanced the IR measures.

Citation Keyferenc_challenging_2019