SHF: Small: Detecting the 1%: Growing the Science of Vulnerability Detection

SHF:%20小型:%20检测%20the%201%:%20增长%20the%20科学%20of%20漏洞%20检测

• 批准号: 1909516
• 负责人: Laurie Williams
• 金额: $ 50万
• 依托单位: North Carolina State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2023-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1909516&HistoricalAwards=false
• 关键词: SHF; Small; Detecting; Growing; Science

Daily, news reports reveal the latest increasingly sophisticated security attacks that threaten our national security, our cyber infrastructure, our health, our finances, our children, and democracy itself. Yet, studies indicate that discovered vulnerabilities can be very damaging but are rare, appearing in about 1-4% of software files. Finding vulnerabilities has been described as "searching for a needing in a haystack." But, protecting the American people, the American homeland, and the American way of life means that software organizations need to detect vulnerabilities so that they can be fixed before the product is used by customers, which makes the vulnerabilities available to attackers. This project will perform studies to understand the characteristics and location of the most risky vulnerabilities so that special effort can be spent and automated tools can be developed to detect the vulnerabilities. The work will improve the ability of software organizations to produce secure software products so that people can rely upon computer systems to perform critical functions and to process, store, and communicate sensitive information securely. The research project also involves the mentoring of PhD students and innovation in software-security teaching for undergraduate and graduate students.Making informed decisions on what code to review and test can improve a team's ability to find and remove more vulnerabilities. Therefore, security engineers looking to prioritize security inspection and testing efforts may be better served by vulnerability-based detection techniques and tools and effective vulnerability prediction. The goal of this project is to aid software practitioners in detecting exploitable vulnerabilities through empirical study of the characteristics of vulnerabilities and through the development and evaluation of prediction models enhanced with recent research from artificial intelligence. The project will explore characteristics of vulnerabilities with a focus on those that pose the highest security risk. Knowledge about the fundamental characteristics of vulnerabilities can be used in the development of vulnerability-focused tools to aid teams in effectively and efficiently detecting vulnerabilities. The fundamental vulnerability characteristics can also be used to develop novel metrics and methods for building vulnerability prediction models enhanced with recent research from artificial intelligence. The project team will also provide a testbed and test data to help other security researchers.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

News报告每日报告揭示了最新越来越复杂的安全攻击，这威胁了我们的国家安全，我们的网络基础设施，我们的健康，我们的财务，我们的孩子和民主本身。 但是，研究表明，发现的漏洞可能非常有害，但很少见，大约出现在1-4％的软件文件中。发现漏洞已被描述为“在干草堆中寻找需求”。但是，保护美国人民，美国的家园和美国的生活方式意味着软件组织需要检测漏洞，以便在客户使用产品之前可以修复它们，这使攻击者可用。该项目将进行研究，以了解最风险的漏洞的特征和位置，以便可以花费特殊的努力并开发自动化工具来检测漏洞。这项工作将提高软件组织生产安全的软件产品的能力，以便人们可以依靠计算机系统执行关键功能，并可以安全地处理，存储和通信敏感信息。 该研究项目还涉及博士生和研究生软件安全教学中的创新。制定有关审查和测试的代码的知情决定可以提高团队找到和消除更多漏洞的能力。因此，基于漏洞的检测技术和工具以及有效的脆弱性预测，希望更好地为安全检查和测试工作的安全工程师更好地服务。 该项目的目的是通过对脆弱性特征的经验研究以及通过人工智能的最新研究增强了预测模型的开发和评估来帮助软件实践者通过实证研究来检测可剥削的脆弱性。 该项目将探索漏洞的特征，重点是构成最高安全风险的漏洞。有关脆弱性的基本特征的知识可以用于开发以脆弱性为中心的工具，以有效有效地检测脆弱性。通过人工智能的最新研究，可以使用基本脆弱性特征来开发建立脆弱性预测模型的新型指标和方法。 该项目团队还将提供测试和测试数据以帮助其他安全研究人员。该奖项反映了NSF的法定任务，并被认为是通过基金会的知识分子优点和更广泛的影响评估标准来评估值得支持的。

项目成果

Dazzle: Using Optimized Generative Adversarial Networks to Address Security Data Class Imbalance Issue

• DOI: 10.1145/3524842.3528437
• 发表时间: 2022-03
• 期刊: 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR)
• 作者: Rui Shu;Tianpei Xia;Laurie A. Williams;T. Menzies

How to Better Distinguish Security Bug Reports (Using Dual Hyperparameter Optimization)

• DOI: 10.1007/s10664-020-09906-8
• 发表时间: 2019-11
• 期刊: Empirical Software Engineering
• 影响因子: 4.1
• 作者: Rui Shu;Tianpei Xia;Jianfeng Chen;L. Williams;T. Menzies

Improving Vulnerability Inspection Efficiency Using Active Learning

利用主动学习提高漏洞检查效率

• DOI: 10.1109/tse.2019.2949275
• 发表时间: 2019
• 期刊: IEEE Transactions on Software Engineering
• 影响因子: 7.4
• 作者: Yu, Zhe;Theisen, Christopher;Williams, Laurie;Menzies, Tim
• 通讯作者: Menzies, Tim

Omni: automated ensemble with unexpected models against adversarial evasion attack

• DOI: 10.1007/s10664-021-10064-8
• 发表时间: 2020-11
• 期刊: Empirical Software Engineering
• 影响因子: 4.1
• 作者: Rui Shu;Tianpei Xia;L. Williams;T. Menzies

Structuring a Comprehensive Software Security Course Around the OWASP Application Security Verification Standard

围绕 OWASP 应用程序安全验证标准构建全面的软件安全课程

• 发表时间: 2021
• 期刊: Proceedings of the International Conference on Software Engineering
• 作者: Elder, Sarah;Zahan, Nusrat;Kozarev, Val;Shu, Rui;Menzies, Tim;Williams, Laurie
• 通讯作者: Williams, Laurie