Towards a prototype based explainable javascript vulnerability prediction model

Mosolygó, Balázs and Vándor, Norbert and Antal, Gábor and Hegedűs, Péter and Ferenc, Rudolf (2021) Towards a prototype based explainable javascript vulnerability prediction model. In: 2021 International Conference on Code Quality (ICCQ). IEEE, Piscataway (NJ), pp. 1-11. ISBN 978-1-7281-8476-0 (electronic); 978-1-7281-8477-7 (PoD)

Preview

Text ICCQ20_paper_14-CR1.pdf Download (858kB) | Preview

Abstract

Security has become a central and unavoidable aspect of today's software development. Practitioners and researchers have proposed many code analysis tools and techniques to mitigate security risks. These tools apply static and dynamic analysis or, more recently, machine learning. Machine learning models can achieve impressive results in finding and forecasting possible security issues in programs. However, most of the current approaches fall short of developer demands in two areas at least: Explainability and granularity of predictions. In this paper, we propose a novel and simple yet, promising approach to identify potentially vulnerable source code in JavaScript programs. The model improves the state-of-the-art in terms of explainability and prediction granularity as it gives results at the level of individual source code lines, which is fine-grained enough for developers to take immediate actions. Additionally, the model explains each predicted line (i.e., provides the most similar vulnerable line from the training set) using a prototype-based approach. In a study of 186 real-world and confirmed JavaScript vulnerability fixes of 91 projects, the approach could flag 60% of the known vulnerable lines on average by marking only 10% of the code-base, but in particular cases, the model identified 100% of the vulnerable code lines while flagging only 8.72% of the code-base.

Actions (login required)

Edit Item