Vulnerability Detection with Fine-Grained Interpretations
Fri 27 Aug 2021 05:20 - 05:30 - Dependability—Vulnerabilities 1 Chair(s): Marsha Chechik
Despite the successes of machine learning (ML) and deep learning (DL)-based vulnerability detectors (VD), they are limited to providing only the decision on whether a given code is vulnerable or not, without details on what part of the code is relevant to the detected vulnerability. We present IVDetect, an interpretable vulnerability detector with the philosophy of using Artificial Intelligence (AI) to detect vulnerabilities, while using Intelligence Assistant (IA) to provide VD interpretations in terms of vulnerable statements.
For vulnerability detection, we separately consider the vulnerable statements and their surrounding contexts via data and control dependencies. This allows our model better discriminate vulnerable statements than using the mixture of vulnerable code and contextual code as in existing approaches. In addition to the coarse-grained vulnerability detection result, we leverage interpretable AI to provide users with fine-grained interpretations that include the sub-graph in the Program Dependency Graph (PDG) with the crucial statements that are relevant to the detected vulnerability. Our empirical evaluation on vulnerability databases shows that IVDetect outperforms the existing DL-based approaches by 43%–84% and 105%–255% in top-10 nDCG and MAP ranking scores. IVDetect correctly points out the vulnerable statements relevant to the vulnerability via its interpretation in 67% of the cases with a top-5 ranked list. IVDetect improves over the baseline interpretation models by 12.3%–400% and 9%–400% in accuracy.
Thu 26 AugDisplayed time zone: Athens change
17:00 - 18:00 | Dependability—Vulnerabilities 1Research Papers +12h Chair(s): Felipe Fronchetti University of São Paulo, Brazil | ||
17:00 10mPaper | Detecting Node.js Prototype Pollution Vulnerabilities via Object Lookup Analysis Research Papers Song Li Johns Hopkins University, Mingqing Kang Johns Hopkins University, Jianwei Hou Johns Hopkins University; Renmin University of China, Yinzhi Cao Johns Hopkins University DOI | ||
17:10 10mPaper | Detecting Concurrency Vulnerabilities Based on Partial Orders of Memory and Thread Events Research Papers Kunpeng Yu Xi'an Jiaotong University, Chenxu Wang Xi'an Jiaotong University, Yan Cai Institute of Software at Chinese Academy of Sciences, Xiapu Luo Hong Kong Polytechnic University, Zijiang Yang Western Michigan University DOI | ||
17:20 10mPaper | Vulnerability Detection with Fine-Grained Interpretations Research Papers Yi Li New Jersey Institute of Technology, Shaohua Wang New Jersey Institute of Technology, Tien N. Nguyen University of Texas at Dallas DOI Pre-print | ||
17:30 30mLive Q&A | Q&A (Dependability—Vulnerabilities 1) Research Papers | ||
Fri 27 AugDisplayed time zone: Athens change
05:00 - 06:00 | |||
05:00 10mPaper | Detecting Node.js Prototype Pollution Vulnerabilities via Object Lookup Analysis Research Papers Song Li Johns Hopkins University, Mingqing Kang Johns Hopkins University, Jianwei Hou Johns Hopkins University; Renmin University of China, Yinzhi Cao Johns Hopkins University DOI | ||
05:10 10mPaper | Detecting Concurrency Vulnerabilities Based on Partial Orders of Memory and Thread Events Research Papers Kunpeng Yu Xi'an Jiaotong University, Chenxu Wang Xi'an Jiaotong University, Yan Cai Institute of Software at Chinese Academy of Sciences, Xiapu Luo Hong Kong Polytechnic University, Zijiang Yang Western Michigan University DOI | ||
05:20 10mPaper | Vulnerability Detection with Fine-Grained Interpretations Research Papers Yi Li New Jersey Institute of Technology, Shaohua Wang New Jersey Institute of Technology, Tien N. Nguyen University of Texas at Dallas DOI Pre-print | ||
05:30 30mLive Q&A | Q&A (Dependability—Vulnerabilities 1) Research Papers | ||