摘要
针对软件系统安全缺陷与漏洞问题,提出一种基于激活漏洞条件的自动漏洞分类框架。从文本报告和漏洞代码修复中提取特征,采用不同的机器学习算法(随机森林、用C4.5决策树、Logistic回归和朴素贝叶斯)构建静态模型,选择具有最高F值的模型识别不可见漏洞的类别。通过分析Firefox项目的580项软件安全缺陷来评估分类的有效性。实验结果表明:在所构建框架下,C4.5决策树在几种分类器中具有最优F值来识别不可见漏洞类别。在RedhatBugzilla数据集上将本算法与其他算法进行比较,结果表明本算法对软件漏洞缺陷的分类性能更优,证明了算法的有效性。
Aiming at the security flaws and vulnerabilities in software systems,this paper proposes an automatic vulnerability classification framework based on activation vulnerability conditions,which extracts features from textual reports and code fixes of vulnerabilities,and then uses different machine learning algorithms(random forest,C4.5 Decision Tree,Logistic Regression,and Naive Bayes)to build a static model and select the highest F-value model implemented on the dataset to identify categories of invisible vulnerabilities.This framework helps developers design appropriate corrective measures in the software development and maintenance phases.By analyzing the 580 software security flaws of the Firefox project to evaluate the validity of the classification,the experimental results show that under the framework of this paper,the C4.5 decision tree has the best F value in several classifiers to identify the invisible vulnerability category.In addition,the algorithm is compared with other algorithms on Redhat Bugzilla data set,and the classification performance of the algorithm is better,which shows the effectiveness of the algorithm.
作者
王飞雪
李芳
WANG Feixue;LI Fang(School of Computer Engineering of Chongqing Institute of Humanities and Technology,Chongqing 401524,China;School of Computer Science,Chongqing University,Chongqing 400044,China)
出处
《重庆理工大学学报(自然科学)》
CAS
北大核心
2019年第5期154-160,共7页
Journal of Chongqing University of Technology:Natural Science
基金
国家自然科学基金资助项目(61662083)
关键词
安全缺陷
激活漏洞条件
漏洞分类
机器学习算法
Firefox项目
security flaws
activation vulnerability conditions
vulnerability classification
machine learning algorithm
firefox project
