Improved Recognition of Security Bugs via Dual Hyperparameter Optimization
share
Background: Security bugs need to be handled by small groups of engineers before being widely discussed (otherwise the general public becomes vulnerable to hackers that exploit those bugs). But learning how to separate the security bugs from other bugs is challenging since they may occur very rarely. Data mining that can find such scarce targets required extensive tuning effort. Goal: The goal of this research is to aid practitioners as they struggle to tune methods that try to distinguish security-related bug reports in a product's bug database, through the use of a dual hyperparameter optimizer that learns good settings for both learners and for data pre-processing methods. Method: The proposed method, named SWIFT, combines learner hyperparameter optimization and pre-processor hyperparameter optimization. SWIFT uses a technique called epsilon-dominance, the main idea of which is to ignore operations that do not significantly improve the performance. As a result, the optimization effort can be efficiently reduced. Result: When compared to recent state-of-the-art results (from FARSEC which is published in TSE'18), we find that SWIFT's dual optimization of both pre-processor and learner is more useful than optimizing each of them individually. For example, in a 10-way cross-validation study looking for security bugs from the Chromium web-browser, the FARSEC and SWIFT recalls were 20.4 example, in experiments with data from the Ambari software project, recalls improved from 30.4 to 83.9 Conclusion: Overall, our approach shows advantages in achieving better performance in a fast way than existing stat-of-the-art method. Therefore, this encourages us in solving similar problems with dual optimization in the future work.
READ FULL TEXT
