Patch-Locator:一种基于排序学习的开源软件漏洞补丁定位方法

Patch-Locator:a Ranking-based Approach of Security Patch Localization for OSS Vulnerabilities

日益增多的开源软件漏洞对软件安全带来了巨大的风险,补丁在应对这一风险的过程中扮演了非常重要的角色.不幸的是,尽管大部分漏洞的补丁在被披露前就已经开发完毕,但仅有部分补丁会随漏洞同步公开.现有的研究发现了漏洞与其补丁之间存在一定的相关性,并基于这些相关性特征对提交进行了排序,以定位漏洞的补丁,但仍旧存在漏洞数据部分缺失、定位准确率不佳等问题.本文提出了Patch-Locator,一种新的基于排序学习的补丁定位方法,通过扩展漏洞数据源对漏洞数据进行补充,并根据漏洞与补丁文本的相似性、漏洞产生的原因和导致的结果等更能反映漏洞与补丁间关联的因素提取了更具有针对性的相关性特征,并使用LambdaMart排序学习模型对提交基于其具有的相关性特征进行排序以定位安全补丁.本文用来自10个开源软件项目的1669个漏洞来评估Patch-Locator.实验结果表明,Patch-Locator的Recall@1指标为92.22%,Recall@5指标为95.51%,Manual Effort@5指标为1.2455,均优于现有方法.

The growing number of Open Source Software(OSS)vulnerabilities poses a significant risk to software security and patches play a very important role in addressing this risk.Unfortunately,although most patches for vulnerabilities are developed before they are disclosed,only some are made public with the vulnerability.Existing researches have found some correlations between an OSS vulnerability and its patch,and they use features that represent these correlations to rank commits to locate security patches for OSS vulnerabilities.However,there are still some issues like partial absence of vulnerability data and poor localization accuracy of prior art.This paper proposes a new ranking-based approach,Patch-Locator,which supplements the vulnerability data by extending the vulnerability data source,and extracts more targeted correlation features based on factors that better reflect the association between vulnerabilities and patches,such as the similarity between vulnerabilities and patch texts,and the causes of vulnerabilities and their resulting outcomes,and uses the LambdaMart model to rank commits based on the correlation features they have to locate security patches.This paper evaluated Patch-Locator with 1,669 CVEs from 10 OSS projects.The experimental results show that Patch-Locator reached 92.22%at Recall@1,95.51%at Recall@5 and 1.2455 at Manual Effort@5,which outperforms the state-of-the-art approaches.