Enhancing security patch identification by capturing structures in commits
With the rapid increasing number of open source software (OSS), the majority of the software vulnerabilities in the open source components are fixed silently, which leads to the deployed software that integrated them being unable to get a timely update. Hence, it is critical to design a security pat...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2022
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/7500 https://ink.library.smu.edu.sg/context/sis_research/article/8503/viewcontent/2207.09022.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-8503 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-85032022-11-21T05:29:02Z Enhancing security patch identification by capturing structures in commits WU, Bozhi LIU, Shangqing FENG, Ruitao XIE, Xiaofei SIOW, Jingkai LIN, Shang-Wei With the rapid increasing number of open source software (OSS), the majority of the software vulnerabilities in the open source components are fixed silently, which leads to the deployed software that integrated them being unable to get a timely update. Hence, it is critical to design a security patch identification system to ensure the security of the utilized software. However, most of the existing works for security patch identification just consider the changed code and the commit message of a commit as a flat sequence of tokens with simple neural networks to learn its semantics, while the structure information is ignored. To address these limitations, in this paper, we propose our well-designed approach E-SPI, which extracts the structure information hidden in a commit for effective identification. Specifically, it consists of the code change encoder to extract the syntactic of the changed code with the BiLSTM to learn the code representation and the message encoder to construct the dependency graph for the commit message with the graph neural network (GNN) to learn the message representation. We further enhance the code change encoder by embedding contextual information related to the changed code. To demonstrate the effectiveness of our approach, we conduct the extensive experiments against six state-of-the-art approaches on the existing dataset and from the real deployment environment. The experimental results confirm that our approach can significantly outperform current state-of-the-art baselines. 2022-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7500 info:doi/10.1109/TDSC.2022.3192631 https://ink.library.smu.edu.sg/context/sis_research/article/8503/viewcontent/2207.09022.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Security Patch Identification Graph Neural Networks Abstract Syntax Tree Graphics and Human Computer Interfaces Information Security OS and Networks |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Security Patch Identification Graph Neural Networks Abstract Syntax Tree Graphics and Human Computer Interfaces Information Security OS and Networks |
| spellingShingle |
Security Patch Identification Graph Neural Networks Abstract Syntax Tree Graphics and Human Computer Interfaces Information Security OS and Networks WU, Bozhi LIU, Shangqing FENG, Ruitao XIE, Xiaofei SIOW, Jingkai LIN, Shang-Wei Enhancing security patch identification by capturing structures in commits |
| description |
With the rapid increasing number of open source software (OSS), the majority of the software vulnerabilities in the open source components are fixed silently, which leads to the deployed software that integrated them being unable to get a timely update. Hence, it is critical to design a security patch identification system to ensure the security of the utilized software. However, most of the existing works for security patch identification just consider the changed code and the commit message of a commit as a flat sequence of tokens with simple neural networks to learn its semantics, while the structure information is ignored. To address these limitations, in this paper, we propose our well-designed approach E-SPI, which extracts the structure information hidden in a commit for effective identification. Specifically, it consists of the code change encoder to extract the syntactic of the changed code with the BiLSTM to learn the code representation and the message encoder to construct the dependency graph for the commit message with the graph neural network (GNN) to learn the message representation. We further enhance the code change encoder by embedding contextual information related to the changed code. To demonstrate the effectiveness of our approach, we conduct the extensive experiments against six state-of-the-art approaches on the existing dataset and from the real deployment environment. The experimental results confirm that our approach can significantly outperform current state-of-the-art baselines. |
| format |
text |
| author |
WU, Bozhi LIU, Shangqing FENG, Ruitao XIE, Xiaofei SIOW, Jingkai LIN, Shang-Wei |
| author_facet |
WU, Bozhi LIU, Shangqing FENG, Ruitao XIE, Xiaofei SIOW, Jingkai LIN, Shang-Wei |
| author_sort |
WU, Bozhi |
| title |
Enhancing security patch identification by capturing structures in commits |
| title_short |
Enhancing security patch identification by capturing structures in commits |
| title_full |
Enhancing security patch identification by capturing structures in commits |
| title_fullStr |
Enhancing security patch identification by capturing structures in commits |
| title_full_unstemmed |
Enhancing security patch identification by capturing structures in commits |
| title_sort |
enhancing security patch identification by capturing structures in commits |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2022 |
| url |
https://ink.library.smu.edu.sg/sis_research/7500 https://ink.library.smu.edu.sg/context/sis_research/article/8503/viewcontent/2207.09022.pdf |
| _version_ |
1770576358866419712 |