Machine Learning vs Software Vulnerability Detection: Applicability Analysis and Conceptual System Synthesis

N. V. Leonov; Леонов Н. В.; M. V. Buinevich; Буйневич М. В.

Machine Learning vs Software Vulnerability Detection: Applicability Analysis and Conceptual System Synthesis

Authors: Leonov N.V.¹, Buinevich M.V.²
Affiliations:
1. State Research Institute of Applied Problems
2. Saint-Petersburg University of State Fire Service of EMERCOM of Russia
Issue: Vol 9, No 6 (2023)
Pages: 83-94
Section: INFORMATION TECHNOLOGIES AND TELECOMMUNICATION
URL: https://journal-vniispk.ru/1813-324X/article/view/252976
ID: 252976

Cite item

Full Text

Abstract
About the authors
References
Supplementary files
Statistics

Abstract

The article is devoted to the searching for vulnerabilities in software problem, as well as the possibilities of application of such a promising area in information technology as machine learning. For this purpose, a review of scientific publications in this area from Russian and foreign citation databases is made. A comparative analysis of the review's results was made according to the following criteria: publication year, application field, idea, solved problem of machine learning, degree of realization of its models and methods; for each criterion basic conclusions were drawn. As a result, 7 principles of building a new conceptual system of searching for vulnerabilities in software with the help of machine learning are proposed, the short meaning of which is as follows: program's multilateral study, combination of known methods, the use of machine learning in each method and algorithm of its management, the possibility of correcting the expert's work, storing information in a database and its synchronization with external, advisory nature of the found vulnerabilities; single software application usage. Based on the stated principles, a graphical scheme of such a system has been developed.

Keywords

information security, vulnerability search, machine learning, review, principles, search engine

About the authors

N. V. Leonov

State Research Institute of Applied Problems

Email: Leonov-nv@yandex.ru
ORCID iD: 0009-0005-1295-5343

M. V. Buinevich

Saint-Petersburg University of State Fire Service of EMERCOM of Russia

Email: bmv1958@yandex.ru
ORCID iD: 0000-0001-8146-0022

References

Романов Н.Е., Израилов К.Е., Покусов В.В. Система поддержки интеллектуального программирования: машинное обучение feat. быстрая разработка безопасных программ // Информатизация и связь. 2021. № 5. С. 7‒17. doi: 10.34219/2078-8320-2021-12-5-7-16
Chavan A., Pimplikar S., Deshmukh A. An Overview of Machine Learning Techniques for Evaluation of Pavement Condition // Proceedings of the 4th International Conference on Cybernetics, Cognition and Machine Learning Applications (ICCCMLA, Goa, India, 08‒09 October 2022). IEEE, 2022. PP. 139‒143. doi: 10.1109/ICCCMLA56841.2022.9989164
Sathuluri M.R., Sahithi R., Sri P.N., Arshitha K. Machine Learning Approach to Design Fractal Antenna for 5G Applications // Proceedings of the 4th International Conference on Inventive Research in Computing Applications (ICIRCA, Coimbatore, India, 21‒23 September 2022). IEEE, 2022. PP. 275‒280. doi: 10.1109/ICIRCA54612.2022.9985480
Rana P., Gupta L. R., Dubey M.K., Kumar G. Review on evaluation techniques for better student learning outcomes using machine learning // Proceedings of the 2nd International Conference on Intelligent Engineering and Management (ICIEM, London, United Kingdom, 28‒30 April 2021). IEEE, 2021. PP. 86‒90. doi: 10.1109/ICIEM51511.2021.9445294
AlShehri Y., Ramaswamy L. SECOE: Alleviating Sensors Failure in Machine Learning-Coupled IoT Systems // Proceedings of the 21st International Conference on Machine Learning and Applications (ICMLA, Nassau, Bahamas, 2‒14 December 2022). IEEE, 2022. PP. 743‒747. doi: 10.1109/ICMLA55696.2022.00124
Tommy R., Sundeep G., Jose H. Automatic Detection and Correction of Vulnerabilities using Machine Learning // Proceedings of the International Conference on Current Trends in Computer, Electrical, Electronics and Communication (CTCEEC, Mysore, India, 08‒09 September 2017). IEEE, 2017. PP. 1062‒1065. doi: 10.1109/CTCEEC.2017.8454995
Jin Z., Yu Y. Current and Future Research of Machine Learning Based Vulnerability Detection // Proceedings of the Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control (IMCCC, Harbin, China, 19‒21 July 2018). IEEE, 2018. PP. 1562‒1566. doi: 10.1109/IMCCC.2018.00322
Zhumabekova A., Matson E.T., Karyukin V., Zhumabekova K., Zhuandykov B., Ussatova O., et al. Determining Web Application Vulnerabilities Using Machine Learning Methods // Proceedings of the 19th International Asian School-Seminar on Optimization Problems of Complex Systems (OPCS, Novosibirsk, Moscow, Russian Federation, 14‒22 August 2023). IEEE, 2023. PP. 136‒139. doi: 10.1109/OPCS59592.2023.10275756
Zhang K. A Machine Learning Based Approach to Identify SQL Injection Vulnerabilities // Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (San Diego, USA, 11‒15 November 2019). IEEE, 2019. PP. 1286‒1288. doi: 10.1109/ASE.2019.00164
Le Q.V., Mikolov T. Distributed Representations of Sentences and Documents // Proceedings of the 31st International Conference on Machine Learning (PMLR, Beijing, China, 21‒26 June 2014). 2014. Vol. 32. Iss. 2. PP. 1188‒1196.
Zheng W., Gao J., Wu X., Xun Y., Liu G., Chen X. An Empirical Study of High-Impact Factors for Machine Learning-Based Vulnerability Detection // Proceedings of the IEEE 2nd International Workshop on Intelligent Bug Fixing (IBF, London, ON, Canada, 18‒18 February 2020). IEEE, 2020. PP. 26‒34. doi: 10.1109/IBF50092.2020.9034888
Выборнова О.Н., Рыжиков А.Н. Применение машинного обучения с подкреплением для автоматизированного поиска уязвимостей информационных систем // Математические методы в технике и технологиях ‒ ММТТ. 2020. Т. 4. С. 110‒113.
Буйневич М.В., Израилов К.Е. Обобщенная модель статического анализа программного кода на базе машинного обучения применительно к задаче поиска уязвимостей // Информатизация и связь. 2020. №. 2. С. 143‒152. doi: 10.34219/2078-8320-2020-11-2-143-152
Демидов Р.А. Поиск уязвимостей в машинном коде с помощью методов глубокого обучения // IV межрегиональная научно-практическая конференция «Перспективные направления развития отечественных информационных технологий» (Севастополь, Российская Федерация,18–22 сентября 2018). Севастопольский государственный университет, 2018. С. 237‒238.
Bottou L. From machine learning to machine reasoning // Machine Learning. 2014. Vol. 94. Iss. 2. PP. 133–149. doi: 10.1007/s10994-013-5335-x
Осман С.Ш.О. Использование ИИ в поиске уязвимостей в локальных сетях или Веб-приложениях // IX международная научно-практическая конференция «Актуальные аспекты развития науки и общества в эпоху цифровой трансформации (шифр–МКАА)» (Москва, Российская Федерация, 25 июля 2023). Махачкала: Издательство АЛЕФ, 2023. С. 83‒88.
Максимова А.А., Гончаренко Л.Х., Бачевский А.Е., Гуртова К.С., Умеренко Г.С., Анистратенко М.А. Способ и Система выявления эксплуатируемых уязвимостей в программном коде. Патент на изобретение RUS 2790005 C1 от 10.03.2022. Опубл. 14.02.2023.
Левшун Д.С. Компонент анализа эффективности методов машинного обучения для предсказания значений метрик уязвимостей. Свидетельство о регистрации программы для ЭВМ № RU 2023619249 от 05.05.2023. Опубл. 05.05.2023.
Celisse A. Optimal cross-validation in density estimation with the L2-loss // The Annals of Statistics. 2014. Vol. 42. Iss. 5. PP. 1879‒1910. doi: 10.1214/14-AOS1240
Кустаров Д.А., Сорокин Л.А., Трухачев А.А. Прототип программного решения, реализующий перспективные технологии искусственного интеллекта применительно к тестированию на проникновение информационных систем. Свидетельство о регистрации программы для ЭВМ № RU 2022682324 от 22.11.2022. Опубл. 29.11.2022.

Supplementary files

Supplementary Files

Action

1. JATS XML

Download

Username
Password
Remember me

Forgot password?	Register

Username
Password
Remember me

Forgot password?	Register