Identify Linux Security Vulnerability Fix Patches Automatically

Zhou Peng; Wu Yanjun; Zhao Chen

doi:10.7544/issn1000-1239.20200492

Journal of Computer Research and Development > 2022 > 59(1): 197-208. > DOI: 10.7544/issn1000-1239.20200492

Zhou Peng, Wu Yanjun, Zhao Chen. Identify Linux Security Vulnerability Fix Patches Automatically[J]. Journal of Computer Research and Development, 2022, 59(1): 197-208. DOI: 10.7544/issn1000-1239.20200492

Citation:

PDF (917 KB)

Identify Linux Security Vulnerability Fix Patches Automatically

Zhou Peng^1,2,
Wu Yanjun^1,3,
Zhao Chen^1,3

¹(Institute of Software, Chinese Academy of Sciences, Beijing 100190)
²(University of Chinese Academy of Sciences, Beijing 100049)
³(State Key Laboratory of Computer Science (Institute of Software, Chinese Academy of Sciences), Beijing 100190)

Funds: This work was supported by the National Key Research and Development Program of China (2018YFB0803600), the Strategic Priority Research Program of Chinese Academy of Sciences (Y8XD373105), and the Key Research Program of Frontier Sciences, CAS (ZDBS-LY-JSC038).

More Information

Published Date: December 31, 2021

Graphical Abstract

Abstract

Abstract

It is critical to catch and apply the vulnerability fix patches in time to ensure the security of information system. However, it is found that open source software maintainers often silently fix security vulnerabilities. For example, 88% of maintainers delay informing users to fix vulnerabilities in the release notes of new software version, and only 9% of the bug fixes clearly give the corresponding CVE ID, and only 3% of the fixes will actively notify the security service provider in time. In many cases, security engineers can’t directly distinguish vulnerability fixes, bug fixes, and feature patches from the code and log message of patches. As a result, vulnerability fixes can’t be identified and applied by users timely. At the same time, it is costly for users to identify vulnerability fixes from a large number of patch submissions. Taking Linux as an example, this paper presents a method of identifying vulnerability patches automatically. This method defines features for the code and log message from patches, builds machine learning model, and trains to learn classifiers that can distinguish vulnerability patches. Experiments indicate that our approach is effective, which can get 91.3% precision, 92% accuracy, 87.53% recall rate, and reduce the false positive rate to 5.2%.

FullText(HTML)

References (0)

[1]	Xia Sibo, Ma Minghua, Jin Pengxiang, Cui Liyue, Zhang Shenglin, Jin Wa, Sun Yongqian, Pei Dan. Response Time Anomaly Diagnosis for Search Service[J]. Journal of Computer Research and Development, 2024, 61(6): 1573-1584. DOI: 10.7544/issn1000-1239.202330054
[2]	Zhang Yiwen, Cui Guangming, Yan Yuanting, Zhao Shu, Zhang Yanping. Quality Constraints-Aware Service Composition Based on Task Granulating[J]. Journal of Computer Research and Development, 2018, 55(6): 1345-1355. DOI: 10.7544/issn1000-1239.2018.20170234
[3]	Wan Changlin, Shi Zhongzhi, Hu Hong, Zhang Dapeng. QoS-Aware Semantic Web Service Modeling and Discovery[J]. Journal of Computer Research and Development, 2011, 48(6): 1059-1066.
[4]	Yang Yahui, Niu Zhenying, Xu Ke. Optimizing Design of Server Deployment in P2P Streaming System[J]. Journal of Computer Research and Development, 2010, 47(7): 1219-1224.
[5]	Deng Xiaopeng, Xing Chunxiao, Zhang Yong, Cai Lianhong. A QoS-Oriented Approach for Web Service Group Testing[J]. Journal of Computer Research and Development, 2009, 46(8): 1285-1293.
[6]	Yue Kun, Liu Weiyi, Wang Xiaoling, Li Jin. An Approach for Measuring Quality of Web Services Based on the Superposition of Uncertain Factors[J]. Journal of Computer Research and Development, 2009, 46(5): 841-849.
[7]	Tang Lei, Liao Yuan, Li Mingshu, Huai Xiaoyong. The Dynamic Deployment Problem and the Algorithm of Service Component for Pervasive Computing[J]. Journal of Computer Research and Development, 2007, 44(5): 815-822.
[8]	Hu Chunming, Huai Jinpeng, and Wo Tianyu. Flexible Resource Capacity Reservation Mechanism for Service Grid Using Slack Time[J]. Journal of Computer Research and Development, 2007, 44(1): 20-28.
[9]	Xu Mingwei, Hu Chunming, Liu Xudong, and Ma Dianfu. Research and Implementation of Web Service Differentiated QoS[J]. Journal of Computer Research and Development, 2005, 42(4): 669-675.
[10]	Li Zhendong and Xie Li. Research on Ensuring QoS and Its Admission Control in Web Servers[J]. Journal of Computer Research and Development, 2005, 42(4): 662-668.

Cited By

Cited by

Periodical cited type(10)

1.	陶蔚，陇盛，刘鑫，胡亚豪，黄金才. 深度学习步长自适应动量优化方法研究综述. 小型微型计算机系统. 2025(02): 257-265 .
2.	张泽东，陇盛，鲍蕾，陶卿. 基于AdaBelief的Heavy-Ball动量方法. 模式识别与人工智能. 2022(02): 106-115 .
3.	陇盛，陶蔚，张泽东，陶卿. 基于AdaGrad的自适应NAG方法及其最优个体收敛性. 软件学报. 2022(04): 1231-1243 .
4.	曲军谊. 基于对偶平均的动量方法研究综述. 计算机与数字工程. 2022(11): 2443-2448 .
5.	曲军谊，鲍蕾，陶卿. 非光滑凸问题投影型对偶平均优化方法的个体收敛性. 模式识别与人工智能. 2021(01): 25-32 .
6.	黄鉴之，陇盛，陶卿. 自适应策略下Heavy-Ball型动量法的最优个体收敛速率. 模式识别与人工智能. 2021(02): 137-145 .
7.	李兴怡，岳洋. 梯度下降算法研究综述. 软件工程. 2020(02): 1-4 .
8.	丁成诚，陶蔚，陶卿. 一种三参数统一化动量方法及其最优收敛速率. 计算机研究与发展. 2020(08): 1571-1580 . 本站查看
9.	鲁淑霞，蔡莲香，张罗幻. 基于动量加速零阶减小方差的鲁棒支持向量机. 计算机工程. 2020(12): 88-95+104 .
10.	黄鉴之，丁成诚，陶蔚，陶卿. 非光滑凸情形Adam型算法的最优个体收敛速率. 智能系统学报. 2020(06): 1140-1146 .