Write a Blog >>
ICPC 2022
Mon 16 - Tue 17 May 2022
co-located with ICSE 2022
Mon 16 May 2022 08:00 - 08:07 at ICPC room - Session 5: Security Chair(s): Na Meng

Software engineers depend heavily on software libraries and have to update their dependencies once vulnerabilities are found in them. Software Composition Analysis (SCA) helps developers identify vulnerable libraries used by an application. A key challenge is the identification of libraries related to a given reported vulnerability in the National Vulnerability Database (NVD), which may not explicitly indicate the affected libraries. Recently, researchers have tried to address the problem of identifying the libraries from an NVD report by treating it as an extreme multi-label learning ML) problem, characterized by its large number of possible labels and severe data sparsity. As input, the NVD report is provided, and as output, a set of relevant libraries is returned.

In this work, we evaluated multiple XML techniques and performed an analysis of different models proposed for XML classification. While previous work only evaluated a traditional XML technique, FastXML, we trained four other traditional XML models (DiSMEC, Parabel, Bonsai, ExtremeText) as well as two deep learning-based models (XML-CNN and LightXML). We compared the performance in both their effectiveness and the time cost of training and using the models for predictions. We find that other than DiSMEC and XML-CNN, recent XML models outperform the FastXML model by 3%–10% in terms of F1-scores on Top-k (k=1,2,3) predictions. Furthermore, we observe significant improvements in both the training and prediction time of these XML models, with Bonsai and Parabel model achieving 627x and 589x faster training time and 12x faster prediction time from the FastXML baseline. From a deeper analysis, we discuss the implications of our experimental results and highlight limitations that future work needs to address.

Mon 16 May

Displayed time zone: Eastern Time (US & Canada) change

08:00 - 08:30
Session 5: SecurityResearch / Journal First at ICPC room
Chair(s): Na Meng Virginia Tech
Automated Identification of Libraries from Vulnerability Data: Can We Do Better?
Stefanus Agus Haryono Singapore Management University, Hong Jin Kang Singapore Management University, Abhishek Sharma Veracode, Inc., Asankhaya Sharma Veracode, Inc., Andrew Santosa Veracode, Inc., Ang Ming Yi Veracode, Inc., David Lo Singapore Management University
Pre-print Media Attached
Example-Based Vulnerability Detection and Repair in Java Code
Ying Zhang Virginia Tech, USA, Ya Xiao Virginia Tech, Md Mahir Asef Kabir Department of Computer Science, Virginia Tech, Daphne Yao Virginia Tech, Na Meng Virginia Tech
Media Attached
Deep security analysis of program code - A systematic literature review
Journal First
Tim Sonnekalb , Thomas S. Heinze Aarhus University, Denmark, Patrick Mäder Technische Universität Ilmenau
Live Q&A
Q&A-Paper Session 5

Information for Participants
Mon 16 May 2022 08:00 - 08:30 at ICPC room - Session 5: Security Chair(s): Na Meng
Info for room ICPC room:

Click here to go to the room on Midspace