SHF: Small: Detecting the 1%: Growing the Science of Vulnerability Detection

SHF:%20小型:%20检测%20the%201%:%20增长%20the%20科学%20of%20漏洞%20检测

• 批准号: 1909516
• 负责人: Laurie Williams
• 金额: $ 50万
• 依托单位: North Carolina State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2023-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1909516&HistoricalAwards=false
• 关键词: SHF; Small; Detecting; Growing; Science

Daily, news reports reveal the latest increasingly sophisticated security attacks that threaten our national security, our cyber infrastructure, our health, our finances, our children, and democracy itself. Yet, studies indicate that discovered vulnerabilities can be very damaging but are rare, appearing in about 1-4% of software files. Finding vulnerabilities has been described as "searching for a needing in a haystack." But, protecting the American people, the American homeland, and the American way of life means that software organizations need to detect vulnerabilities so that they can be fixed before the product is used by customers, which makes the vulnerabilities available to attackers. This project will perform studies to understand the characteristics and location of the most risky vulnerabilities so that special effort can be spent and automated tools can be developed to detect the vulnerabilities. The work will improve the ability of software organizations to produce secure software products so that people can rely upon computer systems to perform critical functions and to process, store, and communicate sensitive information securely. The research project also involves the mentoring of PhD students and innovation in software-security teaching for undergraduate and graduate students.Making informed decisions on what code to review and test can improve a team's ability to find and remove more vulnerabilities. Therefore, security engineers looking to prioritize security inspection and testing efforts may be better served by vulnerability-based detection techniques and tools and effective vulnerability prediction. The goal of this project is to aid software practitioners in detecting exploitable vulnerabilities through empirical study of the characteristics of vulnerabilities and through the development and evaluation of prediction models enhanced with recent research from artificial intelligence. The project will explore characteristics of vulnerabilities with a focus on those that pose the highest security risk. Knowledge about the fundamental characteristics of vulnerabilities can be used in the development of vulnerability-focused tools to aid teams in effectively and efficiently detecting vulnerabilities. The fundamental vulnerability characteristics can also be used to develop novel metrics and methods for building vulnerability prediction models enhanced with recent research from artificial intelligence. The project team will also provide a testbed and test data to help other security researchers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

每天，新闻报道都揭示了最新的日益复杂的安全攻击，这些攻击威胁着我们的国家安全，我们的网络基础设施，我们的健康，我们的财政，我们的孩子和民主本身。 然而，研究表明，发现的漏洞可能非常具有破坏性，但很少出现在大约1-4%的软件文件中。寻找漏洞被描述为“在干草堆中寻找需求”。“但是，保护美国人民、美国国土和美国的生活方式意味着软件组织需要检测漏洞，以便在客户使用产品之前修复漏洞，这使得漏洞可供攻击者使用。该项目将进行研究，以了解风险最大的漏洞的特征和位置，以便可以花费特别的努力，并可以开发自动化工具来检测漏洞。这项工作将提高软件组织生产安全软件产品的能力，以便人们可以依靠计算机系统来执行关键功能，并安全地处理，存储和通信敏感信息。 该研究项目还涉及对博士生的指导以及对本科生和研究生的软件安全教学的创新。在审查和测试哪些代码方面做出明智的决定可以提高团队发现和删除更多漏洞的能力。因此，希望优先考虑安全检查和测试工作的安全工程师可以通过基于可验证性的检测技术和工具以及有效的漏洞预测来更好地服务。 该项目的目标是通过对漏洞特征的实证研究，以及通过开发和评估人工智能最新研究增强的预测模型，帮助软件从业人员检测可利用的漏洞。 该项目将探讨脆弱性的特点，重点是那些构成最高安全风险的脆弱性。有关漏洞基本特征的知识可用于开发以易失性为中心的工具，以帮助团队有效地检测漏洞。基本的脆弱性特征也可用于开发新的指标和方法，用于构建脆弱性预测模型，这些模型通过人工智能的最新研究得到增强。 该项目团队还将提供一个测试平台和测试数据，以帮助其他安全研究人员。该奖项反映了NSF的法定使命，并已被认为是值得通过使用基金会的智力价值和更广泛的影响审查标准进行评估的支持。

项目成果

Dazzle: Using Optimized Generative Adversarial Networks to Address Security Data Class Imbalance Issue

• DOI: 10.1145/3524842.3528437
• 发表时间: 2022-03
• 期刊: 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR)
• 作者: Rui Shu;Tianpei Xia;Laurie A. Williams;T. Menzies

How to Better Distinguish Security Bug Reports (Using Dual Hyperparameter Optimization)

• DOI: 10.1007/s10664-020-09906-8
• 发表时间: 2019-11
• 期刊: Empirical Software Engineering
• 影响因子: 4.1
• 作者: Rui Shu;Tianpei Xia;Jianfeng Chen;L. Williams;T. Menzies

Improving Vulnerability Inspection Efficiency Using Active Learning

利用主动学习提高漏洞检查效率

• DOI: 10.1109/tse.2019.2949275
• 发表时间: 2019
• 期刊: IEEE Transactions on Software Engineering
• 影响因子: 7.4
• 作者: Yu, Zhe;Theisen, Christopher;Williams, Laurie;Menzies, Tim
• 通讯作者: Menzies, Tim

Structuring a Comprehensive Software Security Course Around the OWASP Application Security Verification Standard

围绕 OWASP 应用程序安全验证标准构建全面的软件安全课程

• 发表时间: 2021
• 期刊: Proceedings of the International Conference on Software Engineering
• 作者: Elder, Sarah;Zahan, Nusrat;Kozarev, Val;Shu, Rui;Menzies, Tim;Williams, Laurie
• 通讯作者: Williams, Laurie

Omni: automated ensemble with unexpected models against adversarial evasion attack

• DOI: 10.1007/s10664-021-10064-8
• 发表时间: 2020-11
• 期刊: Empirical Software Engineering
• 影响因子: 4.1
• 作者: Rui Shu;Tianpei Xia;L. Williams;T. Menzies