Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Challenging Machine Learning Algorithms in Predicting Vulnerable JavaScript Functions

Rudolf Ferenc, Péter Hegedűs, Péter Gyimesi, Gábor Antal, Dénes Bán, Tibor Gyimóthy

TL;DR

The paper tackles the challenge of predicting vulnerable JavaScript functions by building a fine-grained function-level vulnerability dataset from NSP and Snyk databases and mapping fixes from GitHub. It analyzes eight machine learning approaches, including deep neural networks, using 35 static code metrics and a rigorous grid-search with various sampling strategies. The results show that several models, notably KNN, achieve strong F-measures (up to 0.76), indicating static metrics can meaningfully indicate vulnerabilities even in a dynamic language like JavaScript. The work makes a practical contribution by releasing the dataset and demonstrating that precision-recall trade-offs can be managed via resampling, with implications for proactive vulnerability mitigation at the function level.

Abstract

The rapid rise of cyber-crime activities and the growing number of devices threatened by them place software security issues in the spotlight. As around 90% of all attacks exploit known types of security issues, finding vulnerable components and applying existing mitigation techniques is a viable practical approach for fighting against cyber-crime. In this paper, we investigate how the state-of-the-art machine learning techniques, including a popular deep learning algorithm, perform in predicting functions with possible security vulnerabilities in JavaScript programs. We applied 8 machine learning algorithms to build prediction models using a new dataset constructed for this research from the vulnerability information in public databases of the Node Security Project and the Snyk platform, and code fixing patches from GitHub. We used static source code metrics as predictors and an extensive grid-search algorithm to find the best performing models. We also examined the effect of various re-sampling strategies to handle the imbalanced nature of the dataset. The best performing algorithm was KNN, which created a model for the prediction of vulnerable functions with an F-measure of 0.76 (0.91 precision and 0.66 recall). Moreover, deep learning, tree and forest based classifiers, and SVM were competitive with F-measures over 0.70. Although the F-measures did not vary significantly with the re-sampling strategies, the distribution of precision and recall did change. No re-sampling seemed to produce models preferring high precision, while re-sampling strategies balanced the IR measures.

Challenging Machine Learning Algorithms in Predicting Vulnerable JavaScript Functions

TL;DR

The paper tackles the challenge of predicting vulnerable JavaScript functions by building a fine-grained function-level vulnerability dataset from NSP and Snyk databases and mapping fixes from GitHub. It analyzes eight machine learning approaches, including deep neural networks, using 35 static code metrics and a rigorous grid-search with various sampling strategies. The results show that several models, notably KNN, achieve strong F-measures (up to 0.76), indicating static metrics can meaningfully indicate vulnerabilities even in a dynamic language like JavaScript. The work makes a practical contribution by releasing the dataset and demonstrating that precision-recall trade-offs can be managed via resampling, with implications for proactive vulnerability mitigation at the function level.

Abstract

The rapid rise of cyber-crime activities and the growing number of devices threatened by them place software security issues in the spotlight. As around 90% of all attacks exploit known types of security issues, finding vulnerable components and applying existing mitigation techniques is a viable practical approach for fighting against cyber-crime. In this paper, we investigate how the state-of-the-art machine learning techniques, including a popular deep learning algorithm, perform in predicting functions with possible security vulnerabilities in JavaScript programs. We applied 8 machine learning algorithms to build prediction models using a new dataset constructed for this research from the vulnerability information in public databases of the Node Security Project and the Snyk platform, and code fixing patches from GitHub. We used static source code metrics as predictors and an extensive grid-search algorithm to find the best performing models. We also examined the effect of various re-sampling strategies to handle the imbalanced nature of the dataset. The best performing algorithm was KNN, which created a model for the prediction of vulnerable functions with an F-measure of 0.76 (0.91 precision and 0.66 recall). Moreover, deep learning, tree and forest based classifiers, and SVM were competitive with F-measures over 0.70. Although the F-measures did not vary significantly with the re-sampling strategies, the distribution of precision and recall did change. No re-sampling seemed to produce models preferring high precision, while re-sampling strategies balanced the IR measures.
Paper Structure (16 sections, 3 figures, 2 tables)

This paper contains 16 sections, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Approach
  4. Dataset collection method
  5. Processing nsp and Snyk and linking them with GitHub
  6. Mapping patches with JavaScript functions
  7. Static source code metrics
  8. Dataset structure
  9. Dataset analysis approach
  10. Grid search for the best parameters
  11. Sampling strategies
  12. Results
  13. Results on the imbalanced dataset
  14. Comparison of the models based on the complete results
  15. Threats to Validity
  16. ...and 1 more sections

Figures (3)

  • Figure 1: Data processing overview
  • Figure 2: Results on the imbalanced dataset
  • Figure 3: Impact of re-sampling on the learning precision and recall