Title | Learning to Identify Security-Related Issues Using Convolutional Neural Networks |
Publication Type | Conference Paper |
Year of Publication | 2019 |
Authors | Palacio, David N., McCrystal, Daniel, Moran, Kevin, Bernal-Cárdenas, Carlos, Poshyvanyk, Denys, Shenefiel, Chris |
Conference Name | 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME) |
Date Published | sep |
Keywords | agile development practices, aid development teams, CNN, Companies, composability, Computer architecture, convolutional neural nets, convolutional neural network, data mining, Databases, Deep Learning, high dimensional word embeddings, human factors, issue descriptions, Kernel, learning (artificial intelligence), Man-machine systems, natural language descriptions, ontologies (artificial intelligence), open source issues, pubcrawl, public domain software, robust security assurance, Scalability, SDL, security, security issues, security of data, security-focused automation, security-related content, security-related requirements, Semantics, software assurance, software products, software quality, software security, two-phase neural net architecture, user interfaces, vulnerability descriptions |
Abstract | Software security is becoming a high priority for both large companies and start-ups alike due to the increasing potential for harm that vulnerabilities and breaches carry with them. However, attaining robust security assurance while delivering features requires a precarious balancing act in the context of agile development practices. One path forward to help aid development teams in securing their software products is through the design and development of security-focused automation. Ergo, we present a novel approach, called SecureReqNet, for automatically identifying whether issues in software issue tracking systems describe security-related content. Our approach consists of a two-phase neural net architecture that operates purely on the natural language descriptions of issues. The first phase of our approach learns high dimensional word embeddings from hundreds of thousands of vulnerability descriptions listed in the CVE database and issue descriptions extracted from open source projects. The second phase then utilizes the semantic ontology represented by these embeddings to train a convolutional neural network capable of predicting whether a given issue is security-related. We evaluated SecureReqNet by applying it to identify security-related issues from a dataset of thousands of issues mined from popular projects on GitLab and GitHub. In addition, we also applied our approach to identify security-related requirements from a commercial software project developed by a major telecommunication company. Our preliminary results are encouraging, with SecureReqNet achieving an accuracy of 96% on open source issues and 71.6% on industrial requirements. |
DOI | 10.1109/ICSME.2019.00024 |
Citation Key | palacio_learning_2019 |