ORBilu: Detailed Reference

Article (Scientific journals)

Why Is Static Application Security Testing Hard to Learn?

Krishnan, Padmanabhan; Cifuentes, Cristina; Li, Li et al.

2023 • In IEEE Security and Privacy, 21 (5), p. 68 - 72

Editorial reviewed

Permalink
https://hdl.handle.net/10993/58038

DOI
10.1109/MSEC.2023.3287206

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

2023-Why_Is_Static_Application_Security_Testing_Hard_to_Learn.pdf

Author postprint (1.04 MB)

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

Application security; Learn+; Machine learning techniques; Machine-learning; Program analysis; Security testing; Security vulnerabilities; State of the art; Computer Networks and Communications; Electrical and Electronic Engineering; Law; Privacy; Machine learning; Security; Testing

Abstract :

[en] In this article, we summarize our experience in combining program analysis with machine learning (ML) to develop a technique that can improve the development of specific program analyses. Our experience is negative. We describe the areas that need to be addressed if ML techniques are to be useful in the program analysis context. Most of the issues that we report are different from the ones that discuss the state of the art in the use of ML techniques to detect security vulnerabilities.

Disciplines :

Computer science

Author, co-author :

Krishnan, Padmanabhan ; Oracle Labs, Brisbane, Australia

Cifuentes, Cristina; Oracle Labs, Brisbane, Australia

Li, Li ; Beihang University

BISSYANDE, Tegawendé François d Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

yes

Language :

English

Title :

Why Is Static Application Security Testing Hard to Learn?

Publication date :

September 2023

Journal title :

IEEE Security and Privacy

ISSN :

1540-7993

eISSN :

1558-4046

Publisher :

Institute of Electrical and Electronics Engineers Inc.

Volume :

21

Issue :

5

Pages :

68 - 72

Peer reviewed :

Editorial reviewed

Additional URL :

http://xplorestaging.ieee.org/ielx7/8013/10242180/10242233.pdf?arnumber=10242233

Available on ORBilu :

since 27 November 2023

Statistics

Number of views

69 (0 by Unilu)

Number of downloads

140 (0 by Unilu)

More statistics

Scopus citations^®

2

Scopus citations^®
without self-citations

2

OpenAlex citations

2

WoS citations^™

2

Bibliography

Z. Feng et al., "CodeBERT: A pre-trained model for programming and natural languages," in Proc. Findings Assoc. Comput. Linguistics, EMNLP, 2020, pp. 1536-1547, doi: 10.18653/v1/2020.findings-emnlp.139.
T. Chappell, C. Cifuentes, P. Krishnan, and S. Geva, "Machine learning for finding bugs: An initial report," in Proc. IEEE Workshop Mach. Learn. Techn. Softw. Qual. Eval. (MaLTeSQuE), 2017, pp. 21-26, doi: 10.1109/MALTESQUE.2017.7882012.
Y. Zhao, X. Du, P. Krishnan, and C. Cifuentes, "Buffer overflow detection for C programs is hard to learn," in Proc. Companion (MLPL) ISSTA/ECOOP, 2018, pp. 8-9, doi: 10.1145/3236454.3236455.
J. Gao, P. Kong, L. Li, T. F. Bissyandé, and J. Klein, "Negative results on mining crypto-API usage rules in android apps," in Proc. IEEE/ACM 16th Int. Conf. Mining Softw. Repositories (MSR), 2019, pp. 388-398, doi: 10.1109/MSR.2019.00065.
V. Raychev, M. Vechev, and A. Krause, "Predicting program properties from 'Big Code'," ACM SIGPLAN Notices, vol. 50, no. 1, pp. 111-124, Jan. 2015, doi: 10.1145/ 2775051.2677009.
K. Allix, T. F. Bissyandé, Q. Jérome, J. Klein, R. State, and Y. Le Traon, "Empirical assessment of machine learning-based malware detectors for android: Measuring the gap between in-the-lab and in-the-wild validation scenarios," Empirical Softw. Eng., vol. 21, no. 1, pp. 183-211, Feb. 2016, doi: 10.1007/s10664-014-9352-6.
F. Pendlebury, F. Pierazzi, R. Jordaney, J. Kinder, and L. Cavallaro, "TESSERACT: Eliminating experimental bias in malware classification across space and time," in Proc. 28th USENIX Security Symp. (USENIX Security), Santa Clara, CA, USA, 2019, pp. 729-746.
Y. Liu, C. Tantithamthavorn, L. Li, and Y. Liu, "Deep learning for android malware defenses: A systematic literature review," ACM Comput. Surv., vol. 55, no. 8, pp. 1-36, Dec. 2022, doi: 10.1145/3544968.
Y. Peng et al., "Static inference meets deep learning: A hybrid type inference approach for Python," in Proc. 44th Int. Conf. Softw. Eng. (ICSE), 2022, pp. 2019-2030, doi: 10.1145/3510003.3510038.
J. Svajlenko, I. Keivanloo, and C. Roy, "Big data clone detection using classical detectors: An exploratory study," J. Softw., Evol. Process, vol. 27, no. 6, pp. 430-464, Jun. 2015, doi: 10.1002/smr.1662.
F. Al-Omari, C. K. Roy, and T. Chen, "SemanticCloneBench: A semantic code clone benchmark using crowd-source knowledge," in Proc. IEEE 14th Int. Workshop Softw. Clones (IWSC), 2020, pp. 57-63, doi: 10.1109/IWSC50091.2020.9047643.
W. Wang, G. Li, B. Ma, X. Xia, and Z. Jin, "Detecting code clones with graph neural network and flow-augmented abstract syntax tree," in Proc. SANER, 2020, pp. 261-271, doi: 10.1109/SANER48275.2020.9054857.
F. Yamaguchi, N. Golde, D. Arp, and K. Rieck, "Modeling and discovering vulnerabilities with code property graphs," in Proc. IEEE Symp. Security Privacy, 2014, pp. 590-604, doi: 10.1109/SP.2014.44.
Y. Zhao et al., "On the impact of sample duplication in machine-learning-based android malware detection," ACM Trans. Softw. Eng. Methodology, vol. 30, no. 3, pp. 1-38, May 2021, doi: 10.1145/3446905.
T. Marjanov, I. Pashchenko, and F. Massacci, "Machine learning for source code vulnerability detection: What works and what isn't there yet," IEEE Security Privacy, vol. 20, no. 5, pp. 60-76, Sep./Oct. 2022, doi: 10.1109/MSEC.2022.3176058.

Similar publications