Reference : Revisiting the VCCFinder approach for the identification of vulnerability-contributin...
Scientific journals : Article
Engineering, computing & technology : Computer science
Computational Sciences
http://hdl.handle.net/10993/47035
Revisiting the VCCFinder approach for the identification of vulnerability-contributing commits
English
Riom, Timothée mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX >]
Sawadogo, Delwende Donald Arthur mailto [Université du Québec à Montréal]
Allix, Kevin mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX >]
Bissyande, Tegawendé François D Assise mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX >]
Moha, Naouel mailto [Université du Québec à Montréal]
Klein, Jacques mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX >]
29-Mar-2021
Empirical Software Engineering
Springer
26
Yes (verified by ORBilu)
International
1382-3256
1573-7616
US
[en] Vulnerability detection ; Machine-Learning ; Replication ; Software Engineering
[en] Detecting vulnerabilities in software is a constant race between development teams and potential attackers. While many static and dynamic approaches have focused on regularly analyzing the software in its entirety, a recent research direction has focused on the analysis of changes that are applied to the code. VCCFinder is a seminal approach in the literature that builds on machine learning to automatically detect whether an incoming commit will introduce some vulnerabilities. Given the influence of VCCFinder in the literature, we undertake an investigation into its performance as a state-of-the-art system. To that end, we propose to attempt a replication study on the VCCFinder supervised learning approach. The insights of our failure to replicate the results reported in the original publication informed the design of a new approach to identify vulnerability-contributing commits based on a semi-supervised learning technique with an alternate feature set. We provide all artefacts and a clear description of this approach as a new reproducible baseline for advancing research on machine learning-based identification of vulnerability-introducing commits
Researchers
http://hdl.handle.net/10993/47035
10.1007/s10664-021-09944-w
https://doi.org/10.1007/s10664-021-09944-w
The original publication is available at www.springerlink.com
FnR ; FNR11693861 > Jacques Klein > CHARACTERIZE > Characterization Of Malicious Code In Mobile Apps: Towards Accurate And Explainable Malware Detection > 01/06/2018 > 31/12/2021 > 2017

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
Riom2021_Article_RevisitingTheVCCFinderApproach.pdfPublisher postprint3.45 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.