# Learning to Identify Security-Related Issues Using Convolutional Neural   Networks

**Authors:** David N. Palacio, Daniel McCrystal, Kevin Moran, Carlos, Bernal-C\'ardenas, Denys Poshyvanyk, Chris Shenefiel

arXiv: 1908.00614 · 2019-08-06

## TL;DR

This paper introduces SecureReqNet, a neural network-based method that automatically identifies security-related issues in software issue descriptions using natural language processing, achieving high accuracy on open source and industrial datasets.

## Contribution

The paper presents a novel two-phase neural network architecture that learns from vulnerability descriptions to detect security-related issues in natural language.

## Key findings

- Achieved 96% accuracy on open source issues
- Achieved 71.6% accuracy on industrial requirements
- Demonstrated effectiveness of NLP-based security issue classification

## Abstract

Software security is becoming a high priority for both large companies and start-ups alike due to the increasing potential for harm that vulnerabilities and breaches carry with them. However, attaining robust security assurance while delivering features requires a precarious balancing act in the context of agile development practices. One path forward to help aid development teams in securing their software products is through the design and development of security-focused automation. Ergo, we present a novel approach, called SecureReqNet, for automatically identifying whether issues in software issue tracking systems describe security-related content. Our approach consists of a two-phase neural net architecture that operates purely on the natural language descriptions of issues. The first phase of our approach learns high dimensional word embeddings from hundreds of thousands of vulnerability descriptions listed in the CVE database and issue descriptions extracted from open source projects. The second phase then utilizes the semantic ontology represented by these embeddings to train a convolutional neural network capable of predicting whether a given issue is security-related. We evaluated SecureReqNet by applying it to identify security-related issues from a dataset of thousands of issues mined from popular projects on GitLab and GitHub. In addition, we also applied our approach to identify security-related requirements from a commercial software project developed by a major telecommunication company. Our preliminary results are encouraging, with SecureReqNet achieving an accuracy of 96% on open source issues and 71.6% on industrial requirements.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1908.00614/full.md

## Figures

3 figures with captions in the complete paper: https://tomesphere.com/paper/1908.00614/full.md

## References

24 references — full list in the complete paper: https://tomesphere.com/paper/1908.00614/full.md

---
Source: https://tomesphere.com/paper/1908.00614