TMVDPatch: A Trusted Multi-View Decision System for Security Patch Identification-Reference-Cited by-同舟云学术

TMVDPatch: A Trusted Multi-View Decision System for Security Patch Identification

Published:2023-03-20 Issue:6 Volume:13 Page:3938
ISSN:2076-3417
Container-title:Applied Sciences
language:en
Short-container-title:Applied Sciences

Author:

Zhou Xin¹^ORCID,Pang Jianmin¹,Shan Zheng¹²,Yue Feng¹,Liu Fudong¹^ORCID,Xu Jinlong¹,Wang Junchao¹,Liu Wenfu¹³^ORCID,Liu Guangming¹

Affiliation:

1. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450000, China

2. Songshan Laboratory, Zhengzhou 450000, China

3. State Key Laboratory of Complex Electromagnetic Environment Effects on Electronics and Information System, Luoyang 471000, China

Abstract

Nowadays, the time lag between vulnerability discovery and the timely remediation of the vulnerability is extremely important to the current state of cybersecurity. Unfortunately, the silent security patch presents a significant challenge. Despite related work having been conducted in this area, the patch identification lacks interpretability. To solve this problem, this paper first proposes a trusted multi-view security patch identification system called TMVDPatch. The system obtains evidence from message commit and code diff views respectively, and models the uncertainty of each view based on the D-S evidence theory, thereby providing credible and interpretable security patch identification results. On this basis, this paper performs weighted training on the original evidence based on the grey relational analysis method to improve the ability to make credible decisions based on multi-views. Experimental results show that the multi-view learning method exhibits excellent capabilities in terms of the complementary information provided by control dependency and data dependency, and the model shows strong robustness across different hyperparameter settings. TMVDPatch outperforms other models in all evaluation metrics, achieving an accuracy of 85.29% and a F1 score of 0.9001, clearly verifying the superiority of TMVDPatch in terms of accuracy, scientificity, and reliability.

Funder

National Natural Science Foundation of China

Publisher

MDPI AG

Subject

Fluid Flow and Transfer Processes,Computer Science Applications,Process Chemistry and Technology,General Engineering,Instrumentation,General Materials Science

Link

https://www.mdpi.com/2076-3417/13/6/3938/pdf

Reference45 articles.

1. Snyk (2023, January 19). The State of Open Source Security Report 2020. Available online: https://go.snyk.io/SoOSS-Report-2020.html.

2. Snyk (2023, January 19). Addressing Cybersecurity Challenges in Open Source Software. Available online: https://snyk.io/reports/open-source-security/.

3. ARMIS (2023, January 19). Log4j Vulnerability. Available online: https://www.armis.com/log4j.

4. ARMIS (2023, January 19). The Long Tail Matters with Apache Log4j. Available online: https://www.armis.com/blog/he-long-tail-matters-with-apache-log4j/.

5. Github (2023, January 19). The State of the Octovers. Available online: https://octoverse.github.com/2019/.

Cited by 2 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. VFCFinder: Pairing Security Advisories and Patches;Proceedings of the 19th ACM Asia Conference on Computer and Communications Security;2024-07

2. Vulnerability discovery based on source code patch commit mining: a systematic literature review;International Journal of Information Security;2024-01-06