Security Issue Classification for Vulnerability Management with Semi-supervised Learning

Emil Wåreus; Emil Wåreus; Anton Duppils; Magnus Tullberg; Martin Hell

doi:10.5220/0010813000003120

Security Issue Classification for Vulnerability Management with Semi-supervised Learning

Emil Wåreus, Emil Wåreus, Anton Duppils, Magnus Tullberg, Martin Hell

2022

Abstract

Open-Source Software (OSS) is increasingly common in industry software and enables developers to build better applications, at a higher pace, and with better security. These advantages also come with the cost of including vulnerabilities through these third-party libraries. The largest publicly available database of easily machine-readable vulnerabilities is the National Vulnerability Database (NVD). However, reporting to this database is a human-dependent process, and it fails to provide an acceptable coverage of all open source vulnerabilities. We propose the use of semi-supervised machine learning to classify issues as security-related to provide additional vulnerabilities in an automated pipeline. Our models, based on a Hierarchical Attention Network (HAN), outperform previously proposed models on our manually labelled test dataset, with an F1 score of 71%. Based on the results and the vast number of GitHub issues, our model potentially identifies about 191 036 security-related issues with prediction power over 80%.

Download

Paper Citation

in Harvard Style

Wåreus E., Duppils A., Tullberg M. and Hell M. (2022). Security Issue Classification for Vulnerability Management with Semi-supervised Learning. In Proceedings of the 8th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-553-1, pages 84-95. DOI: 10.5220/0010813000003120

in Bibtex Style

@conference{icissp22,
author={Emil Wåreus and Anton Duppils and Magnus Tullberg and Martin Hell},
title={Security Issue Classification for Vulnerability Management with Semi-supervised Learning},
booktitle={Proceedings of the 8th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2022},
pages={84-95},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0010813000003120},
isbn={978-989-758-553-1},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 8th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Security Issue Classification for Vulnerability Management with Semi-supervised Learning
SN - 978-989-758-553-1
AU - Wåreus E.
AU - Duppils A.
AU - Tullberg M.
AU - Hell M.
PY - 2022
SP - 84
EP - 95
DO - 10.5220/0010813000003120