Characterizing and Understanding Software Security Vulnerabilities in Machine Learning Libraries

被引：3

作者：

Harzevili, Nima Shiri ^{[1
]}

Shin, Jiho ^{[1
]}

Wang, Junjie ^{[2
]}

Wang, Song ^{[1
]}

Nagappan, Nachiappan ^{[3
]}

机构：

[1] York Univ, Lassonde Sch Engn, Toronto, ON, Canada

[2] Chinese Acad Sci, Inst Software, Beijing, Peoples R China

[3] IIIT Delhi, New Delhi, India

来源：

2023 IEEE/ACM 20TH INTERNATIONAL CONFERENCE ON MINING SOFTWARE REPOSITORIES, MSR | 2023年

关键词：

Security vulnerability; machine learning libraries; empirical study;

D O I：

10.1109/MSR59073.2023.00018

中图分类号：

TP31 [计算机软件];

学科分类号：

081202 ; 0835 ;

摘要：

The application of machine learning (ML) libraries has tremendously increased in many domains, including autonomous driving systems, medical, and critical industries. Vulnerabilities of such libraries could result in irreparable consequences. However, the characteristics of software security vulnerabilities have not been well studied. In this paper, to bridge this gap, we take the first step toward characterizing and understanding the security vulnerabilities of seven well-known ML libraries, including TensorFlow, PyTorch, Scikit-learn, Mlpack, Pandas, Numpy, and Scipy. To do so, we collected 683 security vulnerabilities to explore four major factors: 1) vulnerability types, 2) root causes, 3) symptoms, and 4) fixing patterns of security vulnerabilities in the studied ML libraries. The findings of this study can help developers and researchers understand the characteristics of security vulnerabilities across the studied ML libraries.

引用

页码：27 / 38

页数：12

共 50 条

[21] Discovering software vulnerabilities using data-flow analysis and machine learning
Kronjee, Jorrit
Hommersom, Arjen
Vranken, Harald
13TH INTERNATIONAL CONFERENCE ON AVAILABILITY, RELIABILITY AND SECURITY (ARES 2018), 2019,
[22] A tree-based machine learning methodology to automatically classify software vulnerabilities
Aivatoglou, Georgios
Anastasiadis, Mike
Spanos, Georgios
Voulgaridis, Antonis
Votis, Konstantinos
Tzovaras, Dimitrios
PROCEEDINGS OF THE 2021 IEEE INTERNATIONAL CONFERENCE ON CYBER SECURITY AND RESILIENCE (IEEE CSR), 2021, : 312 - 317
[23] Machine Learning: Research on Detection of Network Security Vulnerabilities by Extracting and Matching Features
Xue Y.
Journal of Cyber Security and Mobility, 2023, 12 (05): : 697 - 710
[24] A Study of Security Vulnerabilities and Software Weaknesses in Vehicles
Xiong, Wenjun
Gulsever, Melek
Kaya, Koray Mustafa
Lagerstrom, Robert
SECURE IT SYSTEMS, NORDSEC 2019, 2019, 11875 : 204 - 218
[25] Software Security Vulnerabilities Seen As Feature Interactions
Jourdan, Guy-Vincent
FEATURE INTERACTIONS IN SOFTWARE AND COMMUNICATION SYSTEMS X, 2009, : 149 - 159
[26] Mapping Software Faults with Web Security Vulnerabilities
Fonseca, Jose
Vieira, Marco
2008 IEEE INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS & NETWORKS WITH FTCS & DCC, 2008, : 257 - +
[27] Vulnerabilities and Threats in Cloud Software Engineering Security
Yu, Weider D.
Runiassy, Maryam
Yin, Yijun
INTELLIGENT SYSTEMS AND APPLICATIONS (ICS 2014), 2015, 274 : 1822 - 1831
[28] Model checking security vulnerabilities in software design
Li Jinhua
Li Jing
2010 6TH INTERNATIONAL CONFERENCE ON WIRELESS COMMUNICATIONS NETWORKING AND MOBILE COMPUTING (WICOM), 2010,
[29] Security vulnerabilities in software systems: A quantitative perspective
Alhazmi, O
Malaiya, Y
Ray, I
DATA AND APPLICATIONS SECURITY XIX, PROCEEDINGS, 2005, 3654 : 281 - 294
[30] Understanding Software Vulnerabilities Related to Architectural Security Tactics An Empirical Investigation of Chromium, PHP and Thunderbird
Santos, Joanna C. S.
Peruma, Anthony
Mirakhorli, Mehdi
Galster, Matthias
Vidal, Jairo Veloz
Sejfia, Adriana
2017 IEEE INTERNATIONAL CONFERENCE ON SOFTWARE ARCHITECTURE (ICSA 2017), 2017, : 69 - 78

← 1 2 3 4 5 →