Saturday, November 23, 2024

Tech News, analysis, updates, comments, reviews

Microsoft: Our AI can spot security flaws from just the titles of developers’ bug reports

Microsoft's machine-learning model can speed up the triage process when handling bug reports.

Microsoft has revealed how it’s applying machine learning to the challenge of correctly identifying which bug reports are actually security-related.

Its goal is to correctly identify security bugs at scale using a machine-learning model to analyze just the label of bug reports.

According to Microsoft, its 47,000 developers generate about 30,000 bugs a month, but only some of the flaws have security implications that need to be addressed during the development cycle.

Microsoft says its machine-learning model correctly distinguishes between security and non-security bugs 99% of the time. It can also accurately identify critical security bugs 97% of the time.

The model allows Microsoft to label and prioritize bugs without necessarily throwing more human resources at the challenge. Fortunately for Microsoft, it has a trove of 13 million work items and bugs it’s collected since 2001 to train its machine-learning model on.

Microsoft used a supervised learning approach to teach a machine-learning model how to classify data from pre-labeled data and then used that model to label data that wasn’t already classified.

Importantly, the classifier is able to classify bug reports just from the title of the bug report, allowing it to get around the problem of handling sensitive information within bug reports such as passwords or personal information.

“We train classifiers for the identification of security bug reports (SBRs) based solely on the title of the reports,” explain Mayana Pereira, a Microsoft data scientist, and Scott Christiansen from Microsoft’s Customer Security and Trust division in a new paper titled Identifying Security Bug Reports Based Solely on Report Titles and Noisy Data.

“To the best of our knowledge this is the first work to do so. Previous works either used the complete bug report or enhanced the bug report with additional complementary features,” they write.

“Classifying bugs based solely on the tile is particularly relevant when the complete bug reports cannot be made available due to privacy concerns. For example, it is notorious the case of bug reports that contain passwords and other sensitive data.”

Microsoft still relies on security experts who are involved in training, retraining, and evaluating the model, as well as approving training data that its data scientists fed into the machine-learning model.

“By applying machine learning to our data, we accurately classify which work items are security bugs 99% of the time. The model is also 97% accurate at labeling critical and non-critical security bugs. This level of accuracy gives us confidence that we are catching more security vulnerabilities before they are exploited,” Pereira and Christiansen said in a blogpost.

Microsoft plans to share its methodology on GitHub in the coming months.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Get notified whenever we post something new!

spot_img

Migrate to the cloud

Make yourself future-proof by migrating your infrastructure and services to the cloud. Become resilient, efficient and distributed.

Continue reading

Concerns about the ICT Bill 2024 in Kenya

THis post has been updated after the attention it is gannering. The original post can be found here: https://web.archive.org/web/20240813033032/https://blog.blancorpsolutions.com/kenya/concerns-about-the-ict-bill-2024-in-kenya/ Kenya's tech industry has been a beacon of innovation and growth, thanks in part to a regulatory environment that has allowed...

What are the real intentions of tracking IMEI numbers?

Imagine if you had a magic map that could show you where all your favorite toys were at any time. Sounds pretty? Well, in Kenya, the government wants to do something similar, but with people’s phones. They plan to...

The Tor Project + Tails, A Game-Changing Merger for Privacy Advocates

In a significant development for digital privacy enthusiasts, the Tor Project and Tails have merged their operations, uniting two of the most trusted tools in the fight against online surveillance. This merger, announced this month, combines the power of...

Enjoy exclusive discounts

Use the promo code SDBR002 to get amazing discounts to our software development services.