Characterizing and Understanding Software Security Vulnerabilities in Machine Learning Libraries

被引：3

作者：

Harzevili, Nima Shiri ^{[1
]}

Shin, Jiho ^{[1
]}

Wang, Junjie ^{[2
]}

Wang, Song ^{[1
]}

Nagappan, Nachiappan ^{[3
]}

机构：

[1] York Univ, Lassonde Sch Engn, Toronto, ON, Canada

[2] Chinese Acad Sci, Inst Software, Beijing, Peoples R China

[3] IIIT Delhi, New Delhi, India

来源：

2023 IEEE/ACM 20TH INTERNATIONAL CONFERENCE ON MINING SOFTWARE REPOSITORIES, MSR | 2023年

关键词：

Security vulnerability; machine learning libraries; empirical study;

D O I：

10.1109/MSR59073.2023.00018

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

The application of machine learning (ML) libraries has tremendously increased in many domains, including autonomous driving systems, medical, and critical industries. Vulnerabilities of such libraries could result in irreparable consequences. However, the characteristics of software security vulnerabilities have not been well studied. In this paper, to bridge this gap, we take the first step toward characterizing and understanding the security vulnerabilities of seven well-known ML libraries, including TensorFlow, PyTorch, Scikit-learn, Mlpack, Pandas, Numpy, and Scipy. To do so, we collected 683 security vulnerabilities to explore four major factors: 1) vulnerability types, 2) root causes, 3) symptoms, and 4) fixing patterns of security vulnerabilities in the studied ML libraries. The findings of this study can help developers and researchers understand the characteristics of security vulnerabilities across the studied ML libraries.

引用

页码：27 / 38

页数：12

共 50 条

[1] Understanding Software Security Vulnerabilities in Cloud Server Systems
Tunde-Onadele, Olufogorehan
Lin, Yuhang
Gu, Xiaohui
He, Jingzhu
2022 IEEE INTERNATIONAL CONFERENCE ON CLOUD ENGINEERING (IC2E 2022), 2022, : 245 - 252
[2] E-Learning Software Security Tested for Security Vulnerabilities & Issues
Violettas, George E.
Theodorou, Tryfon L.
Stephanides, George C.
2013 FOURTH INTERNATIONAL CONFERENCE ON E-LEARNING "BEST PRACTICES IN MANAGEMENT, DESIGN AND DEVELOPMENT OF E-COURSES: STANDARDS OF EXCELLENCE AND CREATIVITY, 2013, : 233 - 240
[3] Characterizing and Understanding Software Developer Networks in Security Development
Wang, Song
Nagappan, Nachiappan
2021 IEEE 32ND INTERNATIONAL SYMPOSIUM ON SOFTWARE RELIABILITY ENGINEERING (ISSRE 2021), 2021, : 534 - 545
[4] Analysis of Software Vulnerabilities Using Machine Learning Techniques
Diako, Doffou Jerome
Achiepo, Odilon Yapo M.
Mensah, Edoete Patrice
E-INFRASTRUCTURE AND E-SERVICES FOR DEVELOPING COUNTRIES (AFRICOMM 2019), 2020, 311 : 30 - 37
[5] Machine Learning to Combine Static Analysis Alerts with Software Metrics to Detect Security Vulnerabilities: An Empirical Study
Pereira, Jose D'Abruzzo
Campos, Joao R.
Vieira, Marco
2021 17TH EUROPEAN DEPENDABLE COMPUTING CONFERENCE (EDCC 2021), 2021, : 1 - 8
[6] Automatically Detect Software Security Vulnerabilities Based on Natural Language Processing Techniques and Machine Learning Algorithms
Cho Do Xuan
Vu Ngoc Son
Duong Duc
JOURNAL OF ICT RESEARCH AND APPLICATIONS, 2022, 16 (01) : 70 - 88
[7] Labeling Software Security Vulnerabilities
Bojanova, Irena
Guerrerio, John J.
IT PROFESSIONAL, 2023, 25 (05) : 64 - 70
[8] The rise of software vulnerability: Taxonomy of software vulnerabilities detection and machine learning approaches
Hanif, Hazim
Nasir, Mohd Hairul Nizam Md
Ab Razak, Mohd Faizal
Firdaus, Ahmad
Anuar, Nor Badrul
JOURNAL OF NETWORK AND COMPUTER APPLICATIONS, 2021, 179
[9] False Positive Analysis of software vulnerabilities using Machine learning
Gowda, Sumanth
Prajapati, Divyesh
Singh, Ranjit
Gadre, Swanand S.
2018 SEVENTH IEEE INTERNATIONAL CONFERENCE ON CLOUD COMPUTING IN EMERGING MARKETS (CCEM), 2018, : 3 - 6
[10] SMaLL: Software for Rapidly Instantiating Machine Learning Libraries
Sridhar, Upasana
Tukanov, Nicholai
Binder, Elliott
Low, Tze Meng
McMllan, Scott
Schatz, Martin D.
ACM TRANSACTIONS ON EMBEDDED COMPUTING SYSTEMS, 2024, 23 (03)

← 1 2 3 4 5 →