Shifting Left for Machine Learning: An Empirical Study of Security Weaknesses in Supervised Learning-based Projects

Bhuiyan, Farzana Ahamed; Prowell, Stacy J.; Shahriar, Hossain; Wu, Fan; Rahman, Akond

doi:10.1109/COMPSAC54236.2022.00130

Title: Shifting Left for Machine Learning: An Empirical Study of Security Weaknesses in Supervised Learning-based Projects

Conference · Wed Jun 01 00:00:00 EDT 2022

DOI:https://doi.org/10.1109/COMPSAC54236.2022.00130· OSTI ID:1886496

Bhuiyan, Farzana Ahamed ^[1];

^[2]; Shahriar, Hossain ^[3]; Wu, Fan ^[4]; Rahman, Akond ^[1]

Tennessee Technological University (TTU)
ORNL
Kennesaw State University
Tuskegee University

Context: Supervised learning-based projects (SLPs), i.e., software projects that use supervised learning algorithms, such as decision trees are useful for performing classification-related tasks. Yet, security weaknesses, such as the use of hard-coded passwords in SLPs, can make SLPs susceptible to security attacks. A characterization of security weaknesses in SLPs can help practitioners understand the security weaknesses that are frequent in SLPs and adopt adequate mitigation strategies. Objective: The goal of this paper is to help practitioners se-curely develop supervised learning-based projects by conducting an empirical study of security weaknesses in supervised learning-based projects. Methodology: We conduct an empirical study by quantifying the frequency of security weaknesses in 278 open source SLPs. Results: We identify 22 types of security weaknesses that occur in SLPs. We observe ‘use of potentially dangerous function’ to be the most frequently occurring security weakness in SLPs. Of the identified 3,964 security weaknesses, 23.79 % and 40.49 % respectively, appear for source code files used to train and test models. We also observe evidence of co-location, e.g., instances of command injection co-locates with instances of potentially dangerous function. Conclusion: Based on our findings, we advocate for a shift left approach for SLP development with security-focused code reviews, and application of security static analysis.

View Conference

Cite

Export

Save

Research Organization:: Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United States)

Sponsoring Organization:: USDOE

DOE Contract Number:: AC05-00OR22725

OSTI ID:: 1886496

Resource Relation:: Conference: Annual Computers, Software, and Applications Conference (COMPSAC) - Virtual, , Italy - 6/27/2022 8:00:00 AM-7/1/2022 8:00:00 AM

Country of Publication:: United States

Language:: English

Similar Records

Unsupervised and Supervised Learning over the Energy Landscape for Protein Decoy Selection

Journal Article · Mon Oct 14 00:00:00 EDT 2019 · Biomolecules · OSTI ID:1886496

Akhter, Nasrin; Chennupati, Gopinath; Kabir, Kazi Lutful; +2 more

Practical galaxy morphology tools from deep supervised representation learning

Journal Article · Mon Feb 28 00:00:00 EST 2022 · Monthly Notices of the Royal Astronomical Society · OSTI ID:1886496

Walmsley, Mike; Scaife, Anna M.; Lintott, Chris; +9 more

Self-supervised Representation Learning for Astronomical Images

Journal Article · Mon Apr 26 00:00:00 EDT 2021 · The Astrophysical Journal. Letters · OSTI ID:1886496

Hayat, Md Abul; Stein, George; Harrington, Peter; +2 more

Title: Shifting Left for Machine Learning: An Empirical Study of Security Weaknesses in Supervised Learning-based Projects

Citation Formats

Similar Records

Related Subjects