Auto-tuning program analysis tools using machine learning

US 10,135,856 B2
Filed: 01/25/2016
Issued: 11/20/2018
Est. Priority Date: 12/18/2014
Status: Active Grant

First Claim

Patent Images

1. A method to reduce false alarms generated by an automated analysis tool performing static security analysis on a software system, comprising:

receiving a set of data representing findings generated by the automated analysis tool, wherein the automated analysis tool generates findings by static security analysis of a call-tree representing call stacks of an application under analysis, and wherein at least one of the findings represents a vulnerability in the form of an unvalidated flow from a source to a sink in the application;

with respect to each of one or more particular findings in the set of data, automatically generating a classification for each of the one or more particular findings, wherein the classification is that a particular finding either is true or false and is based at least in part on a characteristic associated with the particular finding;

based on the automatically-generated classifications for the particular findings, computing a machine learning classifier using software executing in a hardware element by;

reducing each finding to a feature vector comprising a set of features common to each finding, wherein the set of features include one of;

witness length, source type, sink type, witness type, conditional statements, method calls and string operations generated by the automated analysis tool performing the static security analysis;

assigning weights to each of the set of features; and

based on the assigned weights, computing a weighting function having a threshold value that determines a correctness of a new finding; and

applying the machine learning classifier to a set of data representing findings generated by the static security analysis to reduce false alarms generated by the automated analysis tool.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Machine learning (ML) significantly reduces false alarms generated by an automated analysis tool performing static security analysis. Using either user-supplied or system-generated annotation of particular findings, a “hypothesis” is generated about how to classify other static analysis findings. The hypothesis is implemented as a machine learning classifier. To generate the classifier, a set of features are abstracted from a typical witness, and the system compares feature sets against one another to determine a set of weights for the classifier. The initial hypothesis is then validated against a second set of findings, and the classifier is adjusted as necessary based on how close it fits the new data. Once the approach converges on a final classifier, it is used to filter remaining findings in the report.

18 Citations

View as Search Results

15 Claims

1. A method to reduce false alarms generated by an automated analysis tool performing static security analysis on a software system, comprising:
- receiving a set of data representing findings generated by the automated analysis tool, wherein the automated analysis tool generates findings by static security analysis of a call-tree representing call stacks of an application under analysis, and wherein at least one of the findings represents a vulnerability in the form of an unvalidated flow from a source to a sink in the application;
  
  with respect to each of one or more particular findings in the set of data, automatically generating a classification for each of the one or more particular findings, wherein the classification is that a particular finding either is true or false and is based at least in part on a characteristic associated with the particular finding;
  
  based on the automatically-generated classifications for the particular findings, computing a machine learning classifier using software executing in a hardware element by;
  
  reducing each finding to a feature vector comprising a set of features common to each finding, wherein the set of features include one of;
  
  witness length, source type, sink type, witness type, conditional statements, method calls and string operations generated by the automated analysis tool performing the static security analysis;
  
  assigning weights to each of the set of features; and
  
  based on the assigned weights, computing a weighting function having a threshold value that determines a correctness of a new finding; and
  
  applying the machine learning classifier to a set of data representing findings generated by the static security analysis to reduce false alarms generated by the automated analysis tool.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as described in claim 1 wherein the weights are assigned by applying a regression analysis over the findings in the subset of the data according to the automatically-generated classifications.
  - 3. The method as described in claim 1 wherein the characteristic is one of:
    - that the particular finding is also present in data reported by a bug tracking system, that the particular finding was present in a prior version of the software system, and that the particular finding has a structural similarity to a finding that has an existing classification.
  - 4. The method as described in claim 1 wherein the particular findings are a subset of the findings generated by the static security analysis.
  - 5. The method as described in claim 1 further including supplementing the automatically-generated classifications with data representing user-generated classifications for at least some of the particular findings.

6. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to reduce false alarms generated by an automated analysis tool performing static security analysis on a software system, the computer program instructions operative to;
  
  receive a set of data representing findings generated by the automated analysis tool, wherein the automated analysis tool generates findings by static security analysis of a call-tree representing call stacks of an application under analysis, and wherein at least one of the findings represents a vulnerability in the form of an unvalidated flow from a source to a sink in the application;
  
  with respect to each of one or more particular findings in the set of data, automatically generate a classification for each of the one or more particular findings, wherein the classification is that a particular finding either is true or false and is based at least in part on a characteristic associated with the particular finding;
  
  based on the automatically-generated classifications for the particular findings, compute a machine learning classifier by;
  
  reducing each finding to a feature vector comprising a set of features common to each finding, wherein the set of features include one of;
  
  witness length, source type, sink type, witness type, conditional statements, method calls and string operations generated by the automated analysis tool performing the static security analysis;
  
  assigning weights to each of the set of features; and
  
  based on the assigned weights, computing a weighting function having a threshold value that determines a correctness of a new finding; and
  
  apply the machine learning classifier to a set of data representing findings generated by the static security analysis to reduce false alarms generated by the automated analysis tool.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The apparatus as described in claim 6 wherein the weights are assigned by applying a regression analysis over the findings in the subset of the data according to the automatically-generated classifications.
  - 8. The apparatus as described in claim 6 wherein the characteristic is one of:
    - that the particular finding is also present in data reported by a bug tracking system, that the particular finding was present in a prior version of the software system, and that the particular finding has a structural similarity to a finding that has an existing classification.
  - 9. The apparatus as described in claim 6 wherein the particular findings are a subset of the findings generated by the static security analysis.
  - 10. The apparatus as described in claim 6 wherein the computer program instructions are further operative to supplement the automatically-generated classifications with data representing user-generated classifications for at least some of the particular findings.

11. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to reduce false alarms generated by an automated analysis tool performing static security analysis on a software system, the computer program instructions operative to:
- receive a set of data representing findings generated by the automated analysis tool, wherein the automated analysis tool generates findings by static security analysis of a call-tree representing call stacks of an application under analysis, and wherein at least one of the findings represents a vulnerability in the form of an unvalidated flow from a source to a sink in the application;
  
  with respect to each of one or more particular findings in the set of data, automatically generate a classification for each of the one or more particular findings, wherein the classification is that a particular finding either is true or false and is based at least in part on a characteristic associated with the particular finding;
  
  based on the automatically-generated classifications for the particular findings, compute a machine learning classifier by;
  
  reducing each finding to a feature vector comprising a set of features common to each finding, wherein the set of features include one of;
  
  witness length, source type, sink type, witness type, conditional statements, method calls and string operations generated by the automated analysis tool performing the static security analysis;
  
  assigning weights to each of the set of features; and
  
  based on the assigned weights, computing a weighting function having a threshold value that determines a correctness of a new finding; and
  
  apply the machine learning classifier to a set of data representing findings generated by the static security analysis to reduce false alarms generated by the automated analysis tool.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computer program product as described in claim 11 wherein the weights are assigned by applying a regression analysis over the findings in the subset of the data according to the automatically-generated classifications.
  - 13. The computer program product as described in claim 11 wherein the characteristic is one of:
    - that the particular finding is also present in data reported by a bug tracking system, that the particular finding was present in a prior version of the software system, and that the particular finding has a structural similarity to a finding that has an existing classification.
  - 14. The computer program product as described in claim 11 wherein the particular findings are a subset of the findings generated by the static security analysis.
  - 15. The computer program product as described in claim 11 wherein the computer program instructions are further operative to supplement the automatically-generated classifications with data representing user-generated classifications for at least some of the particular findings.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Tripp, Omer
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US15/005,030
Publication Number

US 20160182558A1
Time in Patent Office

1,030 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/562   Static detection

G06F 2221/2101   Auditing as a secondary aspect

G06N 20/00   Machine learning

G06N 3/02   Neural networks

H04L 63/1433   Vulnerability analysis

H04L 63/1483   service impersonation, e.g....

Auto-tuning program analysis tools using machine learning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Auto-tuning program analysis tools using machine learning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links