Vulnerability Prediction in Javascript Functions by Combining Machine Learning Algorithms

Abstract

The rapid rise of cyber-crime activities and
the growing number of devices threatened by them
place software security issues in the spotlight. As
around 90% of all attacks exploit known types of
security issues, finding vulnerable components and
applying existing mitigation techniques is a viable
practical approach for fighting against cyber-crime. In
this paper, we investigate how the state-of-the-art
machine learning techniques, including a popular deep
learning algorithm, perform in predicting functions
with possible security vulnerabilities in JavaScript
programs. We applied 8 machine learning algorithms to
build prediction models using a new dataset constructed
for this research from the vulnerability information in
public databases of the Node Security Project and the
Snyk platform, and code fixing patches from GitHub.
We used static source code metrics as predictors and an
extensive grid-search algorithm to find the best
performing models. We also examined the effect of
various re-sampling strategies to handle the imbalanced
nature of the dataset. The best performing algorithm
was KNN, which created a model for the prediction of
vulnerable functions with an F-measure of 0.76 (0.91
precision and 0.66 recall). Moreover, deep learning,
tree and forest based classifiers, and SVM were
competitive with F-measures over 0.70. Although the Fmeasures
did not vary significantly with the resampling
strategies, the distribution of precision and
recall did change. No re-sampling seemed to produce
models preferring high precision, while re-sampling
strategies balanced the IR measures.