VALAR: Streamlining Alarm Ranking in Static Analysis with Value-Flow Assisted Active Learning
Static analyzers play a critical role in program defects and security vulnerabilities detection. Despite their importance, the widespread adoption of static analysis techniques in industrial development faces numerous obstacles, among which the high rate of false alarms constitutes a significant one...
Gespeichert in:
| Veröffentlicht in: | IEEE/ACM International Conference on Automated Software Engineering : [proceedings] S. 1940 - 1951 |
|---|---|
| Hauptverfasser: | , , , |
| Format: | Tagungsbericht |
| Sprache: | Englisch |
| Veröffentlicht: |
IEEE
11.09.2023
|
| Schlagworte: | |
| ISSN: | 2643-1572 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | Static analyzers play a critical role in program defects and security vulnerabilities detection. Despite their importance, the widespread adoption of static analysis techniques in industrial development faces numerous obstacles, among which the high rate of false alarms constitutes a significant one. To address this issue, we propose a novel approach called Valar, which performs alarm ranking for advanced value-flow analysis using the active learning technique. Active learning algorithms minimize the manual effort for alarm inspection by maximizing the effect of each user labeling in recognizing true/false alarms. Meanwhile, the value-flows provide Valar with a concise and comprehensive summary of the operational semantics about programs. Based on this, Valar is able to reason about the potential correlations between alarms and prioritize the most profitable unlabeled alarm. Additionally, the accuracy of Valar increases as more user labels are given and Valar's active learning model is further refined. We evaluate Valar on 20 real-world C/C++ programs using three value-flow based checkers. Our experimental results demonstrated that Valar significantly lowers the priorities of false alarms with most true alarms ranked high. Notably, Valar ranked all true alarms in the top 47% in 90% projects and ranked 90% true alarms in the top 22% in 75% projects. Furthermore, Valar has no requirement for pretraining and has a negligible computation time of less than 0.1s for each alarm prioritization. |
|---|---|
| AbstractList | Static analyzers play a critical role in program defects and security vulnerabilities detection. Despite their importance, the widespread adoption of static analysis techniques in industrial development faces numerous obstacles, among which the high rate of false alarms constitutes a significant one. To address this issue, we propose a novel approach called Valar, which performs alarm ranking for advanced value-flow analysis using the active learning technique. Active learning algorithms minimize the manual effort for alarm inspection by maximizing the effect of each user labeling in recognizing true/false alarms. Meanwhile, the value-flows provide Valar with a concise and comprehensive summary of the operational semantics about programs. Based on this, Valar is able to reason about the potential correlations between alarms and prioritize the most profitable unlabeled alarm. Additionally, the accuracy of Valar increases as more user labels are given and Valar's active learning model is further refined. We evaluate Valar on 20 real-world C/C++ programs using three value-flow based checkers. Our experimental results demonstrated that Valar significantly lowers the priorities of false alarms with most true alarms ranked high. Notably, Valar ranked all true alarms in the top 47% in 90% projects and ranked 90% true alarms in the top 22% in 75% projects. Furthermore, Valar has no requirement for pretraining and has a negligible computation time of less than 0.1s for each alarm prioritization. |
| Author | Pan, Minxue Lu, Yifei Yang, Wenhua Liu, Pengcheng |
| Author_xml | – sequence: 1 givenname: Pengcheng surname: Liu fullname: Liu, Pengcheng email: mg21320010@smail.nju.edu.cn organization: Software Institute, Nanjing University,State Key Laboratory for Novel Software Technology,China – sequence: 2 givenname: Yifei surname: Lu fullname: Lu, Yifei email: lyf@smail.nju.edu.cn organization: Software Institute, Nanjing University,State Key Laboratory for Novel Software Technology,China – sequence: 3 givenname: Wenhua surname: Yang fullname: Yang, Wenhua email: ywh@nuaa.edu.cn organization: College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics,China – sequence: 4 givenname: Minxue surname: Pan fullname: Pan, Minxue email: mxp@nju.edu.cn organization: Software Institute, Nanjing University,State Key Laboratory for Novel Software Technology,China |
| BookMark | eNotjF1LwzAYRqMouM39Ar3IH-jMm48m8S6MTYWCsOnuZLxtEo12nbR1Y__eDb16OM-BMyQXzbYJhNwAmwAwe-eWM5VzbieccTFhjFlzRsZWWyMUE9zaXJ6TAc-lyEBpfkWGXffJmDqCHpC3lSvc4p4u-zbgpk5Nat6pq7Hd0AU2XydKzdFinyrqGqwPXeroPvUfdIX1T8jm9XZPXXd8--Cpq_q0C7QI2J5K1-QyYt2F8f-OyOt89jJ9zIrnh6epKzLkRvZZAKjKiFqIKEvljTCWg4_RI-Sl1BpiBUJ5G0DaEkF7K2OpUPoYQgV5FCNy-9dNIYT1d5s22B7WwLg1ShnxC3EGVn0 |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/ASE56229.2023.00098 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Xplore POP ALL IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE/IET Electronic Library (IEL) (UW System Shared) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9798350329964 |
| EISSN | 2643-1572 |
| EndPage | 1951 |
| ExternalDocumentID | 10298558 |
| Genre | orig-research |
| GrantInformation_xml | – fundername: National Natural Science Foundation of China grantid: 61972193 funderid: 10.13039/501100001809 |
| GroupedDBID | 6IE 6IF 6IH 6IK 6IL 6IM 6IN 6J9 AAJGR AAWTH ABLEC ACREN ADYOE ADZIZ AFYQB ALMA_UNASSIGNED_HOLDINGS AMTXH BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IPLJI M43 OCL RIE RIL |
| ID | FETCH-LOGICAL-a284t-e11cbfa733f4b5d838921dffda16b4771fc135d9e149ba17d94fb5a4dfeec16f3 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 3 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=001103357200180&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Aug 27 02:32:41 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-a284t-e11cbfa733f4b5d838921dffda16b4771fc135d9e149ba17d94fb5a4dfeec16f3 |
| PageCount | 12 |
| ParticipantIDs | ieee_primary_10298558 |
| PublicationCentury | 2000 |
| PublicationDate | 2023-Sept.-11 |
| PublicationDateYYYYMMDD | 2023-09-11 |
| PublicationDate_xml | – month: 09 year: 2023 text: 2023-Sept.-11 day: 11 |
| PublicationDecade | 2020 |
| PublicationTitle | IEEE/ACM International Conference on Automated Software Engineering : [proceedings] |
| PublicationTitleAbbrev | ASE |
| PublicationYear | 2023 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0051577 ssib057256115 |
| Score | 2.2585292 |
| Snippet | Static analyzers play a critical role in program defects and security vulnerabilities detection. Despite their importance, the widespread adoption of static... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 1940 |
| SubjectTerms | active learning alarm ranking Correlation Inspection Labeling Manuals Security Semantics Static analysis |
| Title | VALAR: Streamlining Alarm Ranking in Static Analysis with Value-Flow Assisted Active Learning |
| URI | https://ieeexplore.ieee.org/document/10298558 |
| WOSCitedRecordID | wos001103357200180&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV09T8MwELVoxcBUPor4lgfWQJw4dswWoVYMqKoKVF1Q5Y8zqtSmqKTw97HdpIiBgc3KZPnOee9s33sIXQvrksbILEpjpVyBomUkKaGRpo4eOwRxGKOC2QQfDPLJRAzrZvXQCwMA4fEZ3PhhuMs3S732R2Vuhyciz7K8hVqcs02zVpM8GXfgTciW-zqc5ryWGSKxuC2eeg7qE9-bknhR01jkvwxVAp70O_-cyT7q_nTm4eEWcw7QDpSHqNNYM-B6px6h13HxWIzusL90lot5cIHAhatiF3gkg1sCnpXYM82Zxo0wCfaHsngs52uI-vPlF3ax81lgcBH-irgWY33ropd-7_n-IaqdFCLp4KeKgBCtrORpaqnKTO5YSkKMtUYSpijnxGqSZkaAq5eUJNwIalUmqbEAmjCbHqN2uSzhBOGE6pRaZmMJKQUuc8_IGGcmYRBbo09R1y_X9H0jljFtVursj-_naM9HxD_BIOQCtavVGi7Rrv6sZh-rqxDib7Hqppg |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV09T8MwELWgIMFUPor4xgNrIE7sOGGLUCsQpapKqbqgyh9nVKlNUWnh72ObpIiBgc3KZPnOee9s33sIXWbGJo0WLIhDKW2BokQgKKGBopYeWwSxGCO92QTvdNLhMOuWzeq-FwYA_OMzuHJDf5evZ2rpjsrsDo-ylLF0HW0466yyXatKH8YtfBOyYr8WqTkvhYZImF3nT00L9pHrTomcrGmYpb8sVTyitOr_nMsOavz05uHuCnV20RoUe6hemTPgcq_uo5dB3s57N9hdO4vpxPtA4NzWsVPcE94vAY8L7LjmWOFKmgS7Y1k8EJMlBK3J7BPb6Lk80Dj3_0VcyrG-NtBzq9m_vQtKL4VAWABaBECIkkbwODZUMp1anhIRbYwWJJGUc2IUiZnOwFZMUhCuM2okE1QbAEUSEx-gWjEr4BDhiKqYmsSEAmIKXKSOkyU80VECodHqCDXcco3evuUyRtVKHf_x_QJt3fUf26P2fefhBG276LgHGYScotpivoQztKk-FuP3-bkP9xeOW6nh |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=IEEE%2FACM+International+Conference+on+Automated+Software+Engineering+%3A+%5Bproceedings%5D&rft.atitle=VALAR%3A+Streamlining+Alarm+Ranking+in+Static+Analysis+with+Value-Flow+Assisted+Active+Learning&rft.au=Liu%2C+Pengcheng&rft.au=Lu%2C+Yifei&rft.au=Yang%2C+Wenhua&rft.au=Pan%2C+Minxue&rft.date=2023-09-11&rft.pub=IEEE&rft.eissn=2643-1572&rft.spage=1940&rft.epage=1951&rft_id=info:doi/10.1109%2FASE56229.2023.00098&rft.externalDocID=10298558 |