VERIFYING SOFTWARE CODE VULNERABILITIES USING MACHINE LEARNING AND CLASSIFICATION TECHNIQUES

Author/Creator ORCID

Date

2019-01-01

Department

Information Systems

Program

Information Systems

Citation of Original Publication

Rights

Distribution Rights granted to UMBC by the author.
Access limited to the UMBC community. Item may possibly be obtained via Interlibrary Loan thorugh a local library, pending author/copyright holder's permission.
This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.

Abstract

Software assurance analysts deal with thousands of potential vulnerabilities many of which are false positives during the process of static code analysis. Manual review of all such potential vulnerabilities is tedious, time consuming, and frequently impractical. This dissertations presents a novel classification algorithm along with its variants that successfully label true and false vulnerabilities in software code. A selection process identi?es the most important features utilized in the algorithm to detect and distinguish the true and false positive findings of the static code analysis results. This has been accomplished by an empirical and semantic method of identifying and using personal identifier as a critical feature for the classification. The approach has been validated by experimentation and comparison against thirteen existing classifiers. Extensive experiments were conducted using multiple production code and open source code with the aid of a variety of static code analysis tools. The results show signi?cant improvements in Accuracy, Precision, and Recall, outperforming all participating classifiers, leading to significant improvements in the security posture of a software system.