Details
| Originalsprache | Englisch |
|---|---|
| Titel des Sammelwerks | Risks and Security of Internet and Systems |
| Untertitel | 15th International Conference, CRiSIS 2020, Paris, France, November 4–6, 2020, Revised Selected Papers |
| Herausgeber/-innen | Joaquin Garcia-Alfaro, Jean Leneutre, Nora Cuppens, Reda Yaich |
| Seiten | 181-197 |
| Seitenumfang | 17 |
| ISBN (elektronisch) | 978-3-030-68887-5 |
| Publikationsstatus | Veröffentlicht - 12 Feb. 2021 |
| Veranstaltung | The 15th International Conference on Risks and Security of Internet and Systems - Online, Frankreich Dauer: 3 Nov. 2020 → 6 Nov. 2020 https://www.crisis-conference.com/ |
Publikationsreihe
| Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
|---|---|
| Band | 12528 LNCS |
| ISSN (Print) | 0302-9743 |
| ISSN (elektronisch) | 1611-3349 |
Abstract
by various software applications. Therefore, it is necessary to protect
them against security
aws in source code, which could, for example,
allow the infringement of privacy. However, developers are usually not
equipped with the required expertise to fulll this task.
To their rescue, there are tools like security code clone detectors to disclose
vulnerable methods in source code. They try to find clones of written
project code and vulnerable code fragments stored in a reference
repository. Existing vulnerability databases, for instance the National
Vulnerability Database (NVD), contain data on reported weaknesses,
but the availability of example code for their occurrence, patch and exploit
is scarce. Developers also use community websites to find help for
secure implementations.
In this paper, we propose a semi-automated process to extract securityrelated
code from the Stack Exchange community network, where also
the coding community Stack Over
ow belongs. We classify the obtained
code through artificial intelligence combined with natural language processing
into the three security types: vulnerable, patch or exploit. In a
twofold evaluation, we compared both parts with the manual activity
of security experts. At first, for the search, our approach shows better
precision than the experts as well as a moderate recall. Secondly, the
results show that the classification of code fragments in security types is
not quite easy. The investigated approaches and security experts perform
with different strength regarding types of security.
Schlagwörter
- Source Code, Security, Clone Detection, Community Knowledge, Artificial Intelligence
ASJC Scopus Sachgebiete
- Mathematik (insg.)
- Theoretische Informatik
- Informatik (insg.)
- Allgemeine Computerwissenschaft
Zitieren
- Standard
- Harvard
- Apa
- Vancouver
- BibTex
- RIS
Risks and Security of Internet and Systems: 15th International Conference, CRiSIS 2020, Paris, France, November 4–6, 2020, Revised Selected Papers. Hrsg. / Joaquin Garcia-Alfaro; Jean Leneutre; Nora Cuppens; Reda Yaich. 2021. S. 181-197 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Band 12528 LNCS).
Publikation: Beitrag in Buch/Bericht/Sammelwerk/Konferenzband › Aufsatz in Konferenzband › Forschung › Peer-Review
}
TY - GEN
T1 - Community Knowledge about Security
T2 - The 15th International Conference on Risks and Security of Internet and Systems
AU - Viertel, Fabien Patrick
AU - Brunotte, Wasja
AU - Evers, Yannick
AU - Schneider, Kurt
PY - 2021/2/12
Y1 - 2021/2/12
N2 - Nowadays, confidential data of users and companies are processed by various software applications. Therefore, it is necessary to protect them against security flaws in source code, which could, for example, allow the infringement of privacy. However, developers are usually not equipped with the required expertise to fulfill this task. To their rescue, there are tools like security code clone detectors to disclose vulnerable methods in source code. They try to find clones of written project code and vulnerable code fragments stored in a reference repository. Existing vulnerability databases, for instance the National Vulnerability Database (NVD), contain data on reported weaknesses, but the availability of example code for their occurrence, patch and exploit is scarce. Developers also use community websites to find help for secure implementations. In this paper, we propose a semi-automated process to extract security-related code from the Stack Exchange community network, where also the coding community Stack Overflow belongs. We classify the obtained code through artificial intelligence combined with natural language processing into the three security types: vulnerable, patch or exploit. In a twofold evaluation, we compared both parts with the manual activity of security experts. At first, for the search, our approach shows better precision than the experts as well as a moderate recall. Secondly, the results show that the classification of code fragments in security types is not quite easy. The investigated approaches and security experts perform with different strength regarding types of security.
AB - Nowadays, confidential data of users and companies are processed by various software applications. Therefore, it is necessary to protect them against security flaws in source code, which could, for example, allow the infringement of privacy. However, developers are usually not equipped with the required expertise to fulfill this task. To their rescue, there are tools like security code clone detectors to disclose vulnerable methods in source code. They try to find clones of written project code and vulnerable code fragments stored in a reference repository. Existing vulnerability databases, for instance the National Vulnerability Database (NVD), contain data on reported weaknesses, but the availability of example code for their occurrence, patch and exploit is scarce. Developers also use community websites to find help for secure implementations. In this paper, we propose a semi-automated process to extract security-related code from the Stack Exchange community network, where also the coding community Stack Overflow belongs. We classify the obtained code through artificial intelligence combined with natural language processing into the three security types: vulnerable, patch or exploit. In a twofold evaluation, we compared both parts with the manual activity of security experts. At first, for the search, our approach shows better precision than the experts as well as a moderate recall. Secondly, the results show that the classification of code fragments in security types is not quite easy. The investigated approaches and security experts perform with different strength regarding types of security.
KW - Source Code
KW - Security
KW - Clone Detection
KW - Community Knowledge
KW - Artificial Intelligence
KW - Artificial intelligence
KW - Clone detection
KW - Community knowledge
KW - Security
KW - Source code
UR - http://www.scopus.com/inward/record.url?scp=85102652194&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-68887-5_11
DO - 10.1007/978-3-030-68887-5_11
M3 - Conference contribution
SN - 978-3-030-68886-8
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 181
EP - 197
BT - Risks and Security of Internet and Systems
A2 - Garcia-Alfaro, Joaquin
A2 - Leneutre, Jean
A2 - Cuppens, Nora
A2 - Yaich, Reda
Y2 - 3 November 2020 through 6 November 2020
ER -