File uploads: We have fixed an issue which caused file uploads to fail. We apologise for the inconvenience it may have caused.

Published September 11, 2021 | Version v1
Conference paper Open

A self-adaptive approach for assessing the criticality of security-related static analysis alerts

  • 1. Centre for Research and Technology Hellas

Description

Despite the acknowledged ability of automated static analysis to detect software vulnerabilities, its adoption in practice is limited,
mainly due to the large number of false alerts (i.e., false positives) that it generates. Although several machine learning-based techniques for assessing the actionability of the produced alerts and for filtering out false positives have been proposed, none of them have demonstrated sufficient results, whereas limited attempts focus on assessing the criticality of the alerts from a security viewpoint. To this end, in the present paper we propose an approach for assessing the criticality of security-related static analysis alerts. In particular, we develop a machine learning-based technique for prioritizing and classifying security-related static analysis alerts based on their criticality, by considering information retrieved from the alerts themselves, vulnerability prediction models, and user feedback. The concept of retraining is also adopted to enable the model to correct itself and adapt to previously unknown software products. The technique has been evaluated through a case study, which revealed its capacity to effectively assess the criticality of alerts of previously unknown projects, as well as its ability to dynamically adapt to the characteristics of the new project and provide more accurate assessments through retraining.

Files

A self-adaptive approach for assessing the criticality of security-related static analysis alerts.pdf

Additional details

Funding

IOTAC – SECURITY BY DESIGN IOT DEVELOPMENT AND CERTIFICATE FRAMEWORK WITH FRONT-END ACCESS CONTROL 952684
European Commission